Skip to content



kexec_file_load - Parse a kexec file and load it into memory.


This system call enables the ability to load a kernel image from a file descriptor into the kernel for later execution. It can be used to make changes to the kernel faster, such as with version upgrades or hardware-related updates. This executes from kernel space, so the file descriptors are coming from kernel space.

It also has a few drawbacks, such as: * It can be hard to verify that the kernel image is correct and free from malicious code. * It may be slow to execute, depending on the hardware and how large the kernel image is.


  • kernel_fd:int[K] - File descriptor containing the kernel image.
  • initrd_fd:int[K] - File descriptor containing the kernel initrd.
  • cmdline_len:unsigned long[K] - Length of the kernel command line, in bytes.
  • cmdline:const char*[K] - Pointer to kernel command line, in kernel mode memory.
  • flags:unsigned long[K] - Optional flags to modify the behavior of the system call.

Available Tags

  • K - Originated from kernel-space.






To ensure that the system call does not modify user-space address tables.

Example Use Case

For example, kexec_file_load can be used to quickly switch from one kernel version to another in order to update the system or to reap the benefits of a newer kernel version.


It can be susceptible to a Time-of-Check Time-of-Use (TOCTOU) vulnerability if not properly guarded against.

  • kexec_load: Allows loading of a kernel image without parsing it first.
  • kexec_file_unload: Unloads a previously loaded kexec file.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.