The presented LPE vulnerability was gradually introduced to the Linux Kernel through refactors and optimizations, each commit making sense on its own. The vulnerability itself was exploitable since 2017 (!) and also doubles as a container escape.
the real kicker is the page cache trick making it invisible to disk-based integrity checks, which means your auditd and tripwire setups are worth exactly nothing here