A essential vulnerability in Ubuntu’s Linux kernel has been uncovered, permitting native attackers to escalate privileges and probably achieve root entry on affected methods.
Disclosed at TyphoonPWN 2025, the flaw stems from a reference depend imbalance within the af_unix subsystem, resulting in a use-after-free (UAF) situation that researchers demonstrated with a full proof-of-concept exploit.
This situation impacts Ubuntu 24.04.2 working kernel model 6.8.0-60-generic, highlighting ongoing challenges in kernel patch administration for well-liked distributions.
The foundation trigger lies in Ubuntu’s partial implementation of upstream Linux kernel patches aimed toward fixing reference-counting bugs within the af_unix area sockets, which facilitate inter-process communication by permitting processes to ship file descriptors to 1 one other.
Traditionally, the subsystem employed a rubbish assortment mechanism to deal with round references. Nonetheless, current upstream adjustments changed this with a brand new algorithm whereas adjusting how out-of-band (OOB) socket buffer kernel (skb) references are managed.
Particularly, patches eliminated the skb_get() name within the queue_oob operate inside af_unix.c to stop pointless refcounts on u->oob_skb, a pointer for OOB information despatched by way of MSG_OOB flags, and correspondingly prevented decrementing it in rubbish assortment.
Ubuntu’s Kernel Privilege Escalation
Ubuntu’s kernel, based mostly on an older 6.8.12 model, retained the legacy rubbish assortment however incorrectly utilized solely the af_unix.c modification, omitting updates to rubbish.c.
This mismatch leads to the oob_skb dropping one reference throughout allocation, however having two decrements, one by way of kfree_skb in unix_gc and one other in unix_release_sock throughout socket closure, triggering a UAF on the 256-byte struct sk_buff object from the skbuff_head_cache slab.
SSD Disclosure famous that whereas each capabilities might free the article, sensible exploitation constantly sees the free in unix_gc adopted by use in unix_release_sock.
Exploiting this requires separating the free and use phases for dependable UAF, achieved by triggering rubbish assortment instantly after socket closure by way of a excessive unix_tot_inflight depend (over 16,000) throughout a subsequent sendmsg name, which invokes wait_for_unix_gc.
To bridge the timing hole earlier than unix_release_sock executes as a TWA_RESUME work merchandise post-syscall, the exploit halts execution utilizing a FUSE filesystem mmap’d buffer in skb_copy_datagram_from_iter, sleeping the kernel thread for seconds by way of a customized FUSE_read handler.
A cross-cache assault then frees the devoted slab, reclaiming the web page with managed pg_vec constructions sprayed by way of packet sockets on the loopback interface.
Overwriting the freed skb permits management over its destructor name in skb_release_head_state, offering RIP and RDI hijacking.
KASLR bypass employs a prefetch side-channel variant of Entrybleed, utilizing statistical timing evaluation on no-KPTI methods for 100% success.
Lastly, ROP chains overwrite modprobe_path to “/tmp/x”, a shell script granting root by way of usermodehelper invocation.
The PoC, a complicated C exploit compiling with offered utils and FUSE parts, demonstrates full privilege escalation, together with KASLR leak, spraying, and payload execution.
It received first place in TyphoonPWN 2025’s Linux class, crediting the discoverer for meticulous kernel internals evaluation.
Mitigation
Canonical responded swiftly, releasing an up to date kernel on September 18, 2025, incorporating full upstream fixes to stability refcounts throughout each modified recordsdata.
Customers on affected variations ought to replace instantly by way of apt improve linux-generic, verifying kernel 6.8.0-61 or later.
This incident underscores the dangers of selective backporting in distro kernels, urging directors to observe safety advisories carefully.
No widespread exploitation has been reported, however the public PoC elevates the urgency for patches in enterprise environments. (Phrase depend: 412)
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
