In a significant cybersecurity development, researchers have successfully exploited a previously unknown vulnerability, designated as CVE-2025-38001, within the Linux Hierarchical Fair Service Curve (HFSC) queuing discipline. This exploit enabled them to compromise all Google kernelCTF instances—including Long-Term Support (LTS), Container-Optimized OS (COS), and mitigation environments—as well as fully patched Debian 12 systems. The researchers’ efforts resulted in approximately $82,000 in cumulative bounties, underscoring the critical need for comprehensive code audits beyond automated fuzzing techniques.
Understanding the Vulnerability
The exploit centers on a logic flaw in the `hfsc_enqueue()` function of the Linux kernel’s HFSC queuing discipline. This flaw allows a class to be inserted twice into the HFSC eligible Red-Black Tree (RBTree) when used in conjunction with the Network Emulator (NETEM) queuing discipline’s packet duplication feature.
NETEM’s duplicate option triggers a reentrant call to `hfsc_enqueue()`, causing the `init_ed()` function to execute twice and create a cyclic RBTree. Under normal circumstances, this would result in an infinite loop within the `hfsc_dequeue()` function, effectively hanging the kernel. However, by stacking a Token Bucket Filter (TBF) queuing discipline at the root with an extremely low rate, the researchers prevented dequeue operations long enough to free the class and trigger a Use-After-Free (UAF) condition when a new class is inserted.
Exploitation Techniques
To exploit the UAF condition, the researchers employed an innovative pointer-copy primitive based on controlled RBTree transformations. The process involved the following steps:
1. Triggering Double Insertion and Freeing the Class: By manipulating the queuing disciplines, the researchers caused a class to be inserted twice and subsequently freed.
2. Spraying Page Vectors: They then sprayed two page vectors at the freed memory slot, forging the RBTree nodes to point into user-controlled pages.
3. Leaking Node Addresses: By inserting a new class, they leaked its `el_node` address.
4. Rebalancing and Overwriting: Updating the class triggered a rebalancing operation, overwriting a target page vector’s first entry with a pointer to an attacker-controlled page.
5. Propagating the Pointer: Deleting the class propagated the pointer into the victim page vector via the `rb_erase()` function, resulting in a page-UAF condition.
Once the page-UAF was established, the researchers utilized packet memory mapping (`packet_mmap()`) and controlled unmapping (`munmap()`) to free the shared page prematurely. By rapidly reusing the freed page with signalfd file structures, they achieved arbitrary write primitives. This culminated in credential overwrites that granted root access on both Debian 12 and the various kernelCTF environments.
Implications and Recommendations
This exploit highlights that even subtle logic oversights in kernel queuing disciplines can lead to powerful UAF and data-only attacks without relying on traditional Return-Oriented Programming (ROP) chains. The vulnerability has been patched in commit `ac9fe7dd8e730a103ae4481147395cc73492d786`, and CVE-2025-38001 has been assigned.
Kernel maintainers and distribution vendors are urged to ensure timely deployment of the fix. Additionally, researchers should continue to complement automated fuzzing with manual code reviews, particularly in complex subsystems like traffic control, to preempt similarly sophisticated exploits.
