A significant vulnerability has been identified in the Linux kernel’s sch_cake queuing discipline (Qdisc) impacting CentOS 9 systems. This flaw allows local users to elevate their privileges to root, posing a serious security threat.
Details of the Vulnerability
SSD Secure Disclosure, a security research firm, released details of this vulnerability on February 5, 2026. The flaw, which won first place in the Linux category at the TyphoonPWN 2025 competition, is found in the cake_enqueue function of the CAKE Qdisc. It incorrectly returns a success status after dropping packets when buffer limits are exceeded.
This misleading behavior affects parent Qdiscs such as HFSC, resulting in improper state management and triggering a use-after-free (UAF) condition when dequeuing packets. Exploiting this vulnerability allows attackers to execute arbitrary code within the kernel, achieving local privilege escalation (LPE).
Technical Exploitation and Impact
The vulnerability is exploited when the buffer_used exceeds the buffer_limit, causing cake_enqueue to drop packets without indicating failure. In a hierarchical setup, HFSC continues to enqueue packets without error checking, leading to a dangling pointer scenario during packet dequeue operations. Attackers can exploit this by manipulating the queue with crafted control messages, leveraging a sprayed fake Qdisc with ROP gadgets for arbitrary code execution.
Although there is no CVSS score yet, the impact is deemed high as it enables a local attacker to gain root access on affected CentOS 9 systems utilizing the CAKE Qdisc. Red Hat, the upstream provider for CentOS, was notified over three months ago but has yet to release a patch.
Mitigation Strategies
To mitigate this vulnerability, system administrators are advised to avoid using the CAKE Qdisc by executing tc qdisc del dev lo root or switching to alternative queuing disciplines such as HTB. Monitoring tc commands and unusual network traffic is also recommended.
It is crucial to update the kernel once a patch is released and to disable any unnecessary Qdisc modules. Leveraging namespaces and user isolation techniques for high-risk workloads can further enhance security.
This vulnerability underscores the importance of auditing Qdisc usage within the kernel’s traffic control system. Administrators should address these risks promptly to maintain system integrity.
Stay informed with the latest cybersecurity updates by following us on Google News, LinkedIn, and X. Reach out if you have a story to share.
