The Linux kernel allows local users to bypass ASLR protections for setuid a.out programs when CONFIG_IA32_AOUT is enabled and ia32_aout module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection.