A critical security vulnerability has been identified in CentOS 9, a widely used Linux distribution, which allows local users to escalate their privileges to root level. This flaw, a use-after-free (UAF) vulnerability in the Linux kernel’s sch_cake queuing discipline (Qdisc), poses a significant risk to system integrity and security.
Understanding the Vulnerability
The vulnerability resides in the CAKE (Common Applications Kept Enhanced) Qdisc, specifically within the `cake_enqueue` function. This function is responsible for managing network traffic by enqueuing packets. The flaw occurs when `cake_enqueue` returns a success status (`NET_XMIT_SUCCESS`) even after dropping packets due to buffer limitations. This misleading return value can cause parent classful Qdiscs, such as HFSC (Hierarchical Fair Service Curve), to mismanage their state, leading to a use-after-free condition when dequeuing packets. Attackers can exploit this condition to execute arbitrary code within the kernel context, effectively achieving local privilege escalation.
Technical Breakdown
The issue arises when the `buffer_used` exceeds the `buffer_limit` in the `cake_enqueue` function. In such cases, the function drops packets via `cake_drop` but still returns a success status. In configurations where HFSC is stacked over CAKE, HFSC enqueues packets without error checks and calls `init_ed` to add the class to its active list. If the HFSC class is deleted, it purges the child CAKE Qdisc via `qdisc_purge_queue`. However, since CAKE is empty, `qlen_notify` skips removal from HFSC’s active list, leaving a dangling pointer. During `hfsc_dequeue`, `eltree_get_mindl` selects the freed class, and `qdisc_dequeue_peeked` triggers the use-after-free on `cl->qdisc`. This sequence allows attackers to gain control over the instruction pointer (RIP) by spraying a fake Qdisc with return-oriented programming (ROP) gadgets.
Proof of Concept and Exploitation
Security firm SSD Secure Disclosure published details of this vulnerability on February 5, 2026, highlighting that the flaw secured first place in the Linux category at TyphoonPWN 2025. The proof of concept (PoC) demonstrates how an attacker can bypass Kernel Address Space Layout Randomization (KASLR) using prefetch side-channel timing attacks. By spraying fake Qdiscs via `sendmsg` with crafted control messages, the exploit sets up HFSC with classes, adds a CAKE child, triggers packet drops via loopback send, deletes the class to create a use-after-free condition, and then sprays a ROP chain to overwrite `modprobe_path`. Finally, it triggers `modprobe` to gain a root shell via an unhandled file type.
Impact and Severity
While a Common Vulnerability Scoring System (CVSS) score has not yet been assigned, the impact of this vulnerability is substantial. A local attacker can escalate their privileges to root on CentOS 9 systems utilizing the CAKE Qdisc. This escalation can lead to unauthorized access, data breaches, and potential system compromise.
Vendor Response and Mitigation
Red Hat, the upstream provider for CentOS, was notified of this vulnerability over 90 days ago. As of the latest update, their response indicates that a fix is work in progress, no release yet. Similar vulnerabilities in the past, such as CVE-2022-50452, were addressed through kernel updates.
Recommended Mitigation Steps
1. Avoid Using CAKE Qdisc: Administrators are advised to remove the CAKE Qdisc from their systems. This can be achieved by executing the command `tc qdisc del dev lo root` or by switching to alternative queuing disciplines like HTB (Hierarchical Token Bucket).
2. Monitor System Commands and Traffic: Regularly monitor `tc` commands and unusual netlink traffic to detect potential exploitation attempts.
3. Update the Kernel: Once a patched kernel version is released, promptly update the system to incorporate the fix.
4. Disable Unnecessary Qdisc Modules: If certain queuing disciplines are not in use, consider disabling their corresponding kernel modules to reduce the attack surface.
5. Implement User Isolation: Utilize namespaces and user isolation techniques for workloads that may pose security risks, thereby limiting the potential impact of an exploit.
Conclusion
This local privilege escalation vulnerability in CentOS 9 underscores the critical importance of diligent system administration and prompt vulnerability management. Administrators should take immediate action to mitigate the risk by removing the CAKE Qdisc, monitoring system activities, and preparing to apply kernel updates as soon as they become available. Staying informed about such vulnerabilities and implementing proactive security measures are essential steps in safeguarding systems against potential exploits.
Twitter Post:
Critical #CentOS9 vulnerability allows local users to escalate to root privileges. Immediate action required: remove CAKE Qdisc and monitor systems. #Linux #CyberSecurity #Vulnerability
Focus Key Phrase:
CentOS 9 privilege escalation vulnerability
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
