A new open-source toolkit demonstrates how to execute arbitrary code on Linux systems with noexec mounts and SELinux/AppArmor enforcement without ever calling execve(2). The userland-exec project achieves stealthy remote code execution by parsing ELF binaries entirely in userspace and transferring control through direct jumps, leaving no filesystem traces or audit trails.

Traditional security measures like mounting /tmp with noexec,nosuid,nodev flags and enabling SELinux enforcing are rendered ineffective once an attacker gains code execution inside a process. The toolkit uses memfd_create for zero-disk-footprint payloads and implements a W^X signal handler dance to bypass memory protection mechanisms. The approach fundamentally challenges the assumption that filesystem-based controls provide meaningful protection against determined attackers.

The project includes a realistic RCE demo featuring a vulnerable TCP server with format-string leaks and stack buffer overflows. Attackers can exploit these vulnerabilities to load and execute payloads entirely in memory, preserving the original process name and context. The technique proves that userland execution bypasses represent a critical threat to hardened Linux environments, requiring defense strategies that go beyond traditional filesystem and MAC controls.