It's worth noting that it is possible to disable unprivileged user namespaces, but the default on several modern linux distros is to have it enabled.

It's indeed a pretty cool combination of ideas to get to the final exploit. I just had a discussion about whether programming is mostly creative or analytical. Seeing this post, the answer (next time) will be "yes."

I an sort of learning how to bypass ASLR right now, it is a very timely PoC for me.