Critical CentOS 9 Vulnerability Enables Local Users to Gain Root Access
A significant security flaw has been identified in CentOS 9, stemming from a use-after-free (UAF) vulnerability within the Linux kernel’s sch_cake queuing discipline (Qdisc). This vulnerability allows local users to escalate their privileges to root, posing a substantial risk to system integrity.
Discovery and Disclosure
On February 5, 2026, security firm SSD Secure Disclosure released detailed information about this vulnerability, which had previously secured first place in the Linux category at the TyphoonPWN 2025 competition. The flaw resides in the cake_enqueue function of the CAKE Qdisc, which erroneously returns a success status even after dropping packets due to buffer limitations. This miscommunication leads to improper state management in parent classful Qdiscs like HFSC, resulting in a use-after-free scenario during packet dequeuing. Attackers can exploit this flaw to execute arbitrary code within the kernel context, achieving local privilege escalation.
Technical Breakdown
The vulnerability is rooted in the cake_enqueue function’s handling of packet drops. When the buffer_used exceeds the buffer_limit, the function drops packets but still returns a NET_XMIT_SUCCESS status. In configurations where HFSC is stacked over CAKE, HFSC enqueues packets without error checks, leading to the addition of classes to its active list. If an HFSC class is deleted, the associated CAKE Qdisc is purged. However, due to the empty state of CAKE, the qlen_notify function skips the removal from HFSC’s active list, leaving a dangling pointer. Subsequent operations can trigger a use-after-free condition on the cl->qdisc, which attackers can leverage to gain control over the instruction pointer (RIP) by spraying a fake Qdisc with return-oriented programming (ROP) gadgets.
Exploitation Details
The proof-of-concept (PoC) exploit bypasses Kernel Address Space Layout Randomization (KASLR) using prefetch side-channel timing attacks. It involves setting up HFSC with classes, adding a CAKE child, triggering packet drops via loopback sends, deleting classes to create a use-after-free condition, and then spraying a ROP chain to overwrite the modprobe_path. Finally, the exploit triggers modprobe to execute a root shell through an unhandled file type.
Mitigation Recommendations
To mitigate this vulnerability, administrators are advised to:
– Avoid Using CAKE Qdisc: Remove CAKE Qdisc configurations with the command `tc qdisc del dev lo root` or switch to alternative queuing disciplines like HTB.
– Monitor Network Traffic: Keep an eye on traffic control (tc) commands and unusual netlink traffic that could indicate exploitation attempts.
– Update the Kernel: Apply kernel updates as soon as patches become available to address this vulnerability.
– Disable Unnecessary Qdisc Modules: Turn off any queuing discipline modules that are not in use to reduce potential attack surfaces.
– Implement User Isolation: Utilize namespaces and user isolation techniques for workloads that may pose security risks.
This vulnerability underscores the importance of diligent kernel traffic control and the need for administrators to promptly audit and update their systems to maintain security.
