Critical Ubuntu Kernel Flaw Exposes Systems to Root-Level Attacks
Article Text:
A significant security vulnerability has been identified in Ubuntu’s Linux kernel, potentially allowing local attackers to escalate their privileges and gain root access on affected systems. This flaw, disclosed during the TyphoonPWN 2025 security conference, arises from a reference count imbalance within the af_unix subsystem, leading to a use-after-free (UAF) condition. Researchers have demonstrated a full proof-of-concept (PoC) exploit, highlighting the severity of the issue.
Technical Details
The vulnerability specifically impacts Ubuntu 24.04.2 running kernel version 6.8.0-60-generic. The root cause is traced back to Ubuntu’s partial implementation of upstream Linux kernel patches intended to fix reference-counting bugs in the af_unix domain sockets. These sockets are crucial for inter-process communication, allowing processes to send file descriptors to one another.
Historically, the af_unix subsystem utilized a garbage collection mechanism to manage circular references. Recent upstream changes replaced this with a new algorithm and adjusted how out-of-band (OOB) socket buffer kernel (skb) references are managed. Specifically, patches removed the `skb_get()` call in the `queue_oob` function within `af_unix.c` to prevent unnecessary reference counts on `u->oob_skb`, a pointer for OOB data sent via `MSG_OOB` flags. Correspondingly, they avoided decrementing it in garbage collection.
Privilege Escalation Mechanism
Ubuntu’s kernel, based on an older 6.8.12 version, retained the legacy garbage collection but incorrectly applied only the `af_unix.c` modification, omitting updates to `garbage.c`. This mismatch results in the `oob_skb` losing one reference during allocation but having two decrements: one via `kfree_skb` in `unix_gc` and another in `unix_release_sock` during socket closure. This sequence triggers a UAF on the 256-byte `struct sk_buff` object from the `skbuff_head_cache` slab.
Exploiting this vulnerability requires separating the free and use phases for reliable UAF. This is achieved by triggering garbage collection immediately after socket closure via a high `unix_tot_inflight` count (over 16,000) during a subsequent `sendmsg` call, which invokes `wait_for_unix_gc`. To bridge the timing gap before `unix_release_sock` executes as a `TWA_RESUME` work item post-syscall, the exploit halts execution using a FUSE filesystem `mmap`’d buffer in `skb_copy_datagram_from_iter`, sleeping the kernel thread for seconds via a custom `FUSE_read` handler.
A cross-cache attack then frees the dedicated slab, reclaiming the page with controlled `pg_vec` structures sprayed via packet sockets on the loopback interface. Overwriting the freed `skb` enables control over its destructor call in `skb_release_head_state`, providing RIP and RDI hijacking.
The Kernel Address Space Layout Randomization (KASLR) bypass employs a prefetch side-channel variant of Entrybleed, using statistical timing analysis on no-KPTI systems for 100% success. Finally, Return-Oriented Programming (ROP) chains overwrite `modprobe_path` to `/tmp/x`, a shell script granting root access via `usermodehelper` invocation.
The PoC, a sophisticated C exploit compiling with provided utilities and FUSE components, demonstrates full privilege escalation, including KASLR leak, spraying, and payload execution. It secured first place in TyphoonPWN 2025’s Linux category, crediting the discoverer for meticulous kernel internals analysis.
Mitigation Measures
Canonical responded promptly, releasing an updated kernel on September 18, 2025, incorporating full upstream fixes to balance reference counts across both modified files. Users on affected versions should update immediately via `apt upgrade linux-generic`, verifying kernel version 6.8.0-61 or later.
This incident underscores the risks associated with selective backporting in distribution kernels, urging administrators to monitor security advisories closely. While no widespread exploitation has been reported, the public availability of the PoC elevates the urgency for patches in enterprise environments.
