diff --git a/doc/elf-to-mem.txt b/doc/elf-to-mem.txt
index f68322bc..5aa796bb 100644
--- a/doc/elf-to-mem.txt
+++ b/doc/elf-to-mem.txt
@@ -69,11 +69,13 @@ from the address space, then the Linux kernel erases the symlink
 /proc/self/exe.  Linux stores the pathname argument that was specified
 to execve() immediately after the '\0' which terminates the character
 string of the last environment variable [as of execve()].  This is true
-for at least all Linux 2.6, 2.4, and 2.2 kernels.  The pathname is not
-"bound" to the file as strongly as /proc/self/exe (the file may be changed
-without affecting the pathname), but the pathname does provide some
-information.  The pathname may be relative to the working directory,
-so look before any chdir().
+for at least all Linux 2.6, 2.4, and 2.2 kernels.  Linux kernel 2.6.29
+and later records a pointer to that character string in
+Elf32_auxv[AT_EXECFN].  The pathname is not "bound" to the file as
+strongly as /proc/self/exe (the file may be changed without affecting
+the pathname), but the pathname does provide some information.
+The pathname may be relative to the working directory, so look before
+any chdir().
 
 The Elf formats for Linux add an environment variable named "   " [three
 spaces] which saves the results of readlink("/proc/self/exe",,) before