The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because installexeccreds() is called too late in loadelfbinary() in fs/binfmtelf.c, and thus the ptracemay_access() check has a race condition when reading /proc/pid/stat.