Researchers exploited CVE-2025-38001—a beforehand unknown Use-After-Free (UAF) vulnerability within the Linux HFSC queuing self-discipline—to compromise all Google kernelCTF cases (LTS, COS, and mitigation) in addition to absolutely patched Debian 12 techniques.
Their work netted an estimated $82,000 in cumulative bounties and underscores the persevering with significance of in-depth code auditing past automated fuzzing.
Key Takeaways1. NETEM’s packet duplication bug in HFSC qdisc plus TBF rate-limiting turned an infinite RBTree loop right into a dependable Use-After-Free.2. An RBTree pointer-copy trick precipitated a page-UAF and arbitrary write.3. Root achieved on Debian 12 and all Google kernelCTF cases; repair accessible.
Linux Kernel Root Exploit
Based on researchers D3vil and FizzBuzz101, the exploit relies on the logic flaw in hfsc_enqueue() that permits a category to be inserted twice into the HFSC “eligible” RBTree when used at the side of the NETEM qdisc’s packet duplication function:
NETEM’s duplicate choice triggers a reentrant name to hfsc_enqueue(), inflicting init_ed() to run twice and create a cyclic RBTree.
Usually, the ensuing infinite loop in hfsc_dequeue() would grasp the kernel, however by stacking a TBF qdisc on the root with a particularly low price, researchers prevented dequeue operations lengthy sufficient to free the category and set off a UAF when a brand new class is inserted.
Exploiting the UAF required an revolutionary pointer-copy primitive primarily based on managed RBTree transformations.
After releasing the duplicated class node and overlaying its reminiscence with a packet ring’s web page vector (pgv), the workforce leveraged eltree_insert(), eltree_remove(), and the Linux rbtree rebalancing routines (__rb_insert() and __rb_erase_augmented()) to repeat a web page pointer from one pgv to a different. The sequence:
Set off double insertion and free class 2:1.
Spray two web page vectors on the freed slot, forging the RBTree nodes to level into user-controlled pages.
Insert class 2:2 to leak its el_node tackle.
Replace class 2:2 to rebalance and overwrite a goal web page vector’s first entry with a pointer to the attacker-controlled web page.
Delete class 2:2 to propagate the pointer into the sufferer pgv through rb_erase(), yielding a page-UAF.
As soon as the page-UAF was established, remapping through packet_mmap() and managed unmapping (munmap()) allowed the attackers to free the shared web page prematurely.
A fast reuse of the freed web page with signalfd file buildings enabled arbitrary write primitives, culminating in credential overwrites that granted root on each Debian 12 and the assorted kernelCTF environments.
This exploit highlights that even delicate logic oversights in kernel qdiscs can result in highly effective UAF and data-only assaults with out counting on basic ROP chains.
The vulnerability was patched in commit ac9fe7dd8e730a103ae4481147395cc73492d786, and CVE-2025-38001 has been assigned.
Kernel maintainers and distribution distributors are urged to make sure well timed deployment of the repair, whereas researchers ought to proceed to enhance automated fuzzing with guide code opinions, significantly in complicated subsystems like site visitors management, to preempt equally subtle exploits.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
