This push-SS/ESP/EFLAGS/CS/EIP-then-IRET sequence is exactly how the Linux kernel drops into userspace after `execve()`, and getting a selector's RPL bits wrong here is the exact bug class behind real privilege-escalation CVEs where a userspace process tricks the kernel into returning with CPL=0 instead of CPL=3. Every modern OS relies on this ring 0/ring 3 boundary as its fundamental security guarantee between kernel and untrusted applications.