A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and thus to bypass ASLR because install_exec_creds() is called too late in this function.
An upstream patch:
In our research we was not able to reproduce the issue with the standard RHEL-7 kernel, but only with modified kernel with specially inserted delay, which widens a race window. This means the race condition still exists, i.e. the system is still vulnerable, but it is hard to hit it.