Ubuntu’s Kernel Vulnerability Let Attackers Escalate Privileges and Gain Root Access

A critical vulnerability in Ubuntu’s Linux kernel has been exposed, allowing local attackers to escalate privileges and potentially gain root access on affected systems.

Disclosed at TyphoonPWN 2025, the flaw stems from a reference count imbalance in the af_unix subsystem, leading to a use-after-free (UAF) condition that researchers demonstrated with a full proof-of-concept exploit.

This issue affects Ubuntu 24.04.2 running kernel version 6.8.0-60-generic, highlighting ongoing challenges in kernel patch management for popular distributions.​

The root cause lies in Ubuntu’s partial implementation of upstream Linux kernel patches aimed at fixing reference-counting bugs in the af_unix domain sockets, which facilitate inter-process communication by allowing processes to send file descriptors to one another.

Historically, the subsystem employed a garbage collection mechanism to handle circular references. Still, recent upstream changes replaced this with a new algorithm while adjusting how out-of-band (OOB) socket buffer kernel (skb) references are managed.

Specifically, patches removed the skb_get() call in the queue_oob function within af_unix.c to prevent unnecessary refcounts on u->oob_skb, a pointer for OOB data sent via MSG_OOB flags, and correspondingly avoided decrementing it in garbage collection.​

Ubuntu’s Kernel Privilege Escalation

Ubuntu’s kernel, based on an older 6.8.12 version, retained the legacy garbage collection but incorrectly applied only the af_unix.c modification, omitting updates to garbage.c.

This mismatch results in the oob_skb losing one reference during allocation, but having two decrements, one via kfree_skb in unix_gc and another in unix_release_sock during socket closure, triggering a UAF on the 256-byte struct sk_buff object from the skbuff_head_cache slab.

SSD Disclosure noted that while both functions could free the object, practical exploitation consistently sees the free in unix_gc followed by use in unix_release_sock.​

Exploiting this requires separating the free and use phases for reliable UAF, achieved by triggering garbage collection immediately after socket closure via a high unix_tot_inflight count (over 16,000) during a subsequent sendmsg call, which invokes wait_for_unix_gc.

To bridge the timing gap before unix_release_sock executes as a TWA_RESUME work item post-syscall, the exploit halts execution using a FUSE filesystem mmap’d buffer in skb_copy_datagram_from_iter, sleeping the kernel thread for seconds via a custom FUSE_read handler.​

A cross-cache attack then frees the dedicated slab, reclaiming the page with controlled pg_vec structures sprayed via packet sockets on the loopback interface.

Overwriting the freed skb enables control over its destructor call in skb_release_head_state, providing RIP and RDI hijacking.

KASLR bypass employs a prefetch side-channel variant of Entrybleed, using statistical timing analysis on no-KPTI systems for 100% success.

Finally, ROP chains overwrite modprobe_path to “/tmp/x”, a shell script granting root via usermodehelper invocation.​

The PoC, a sophisticated C exploit compiling with provided utils and FUSE components, demonstrates full privilege escalation, including KASLR leak, spraying, and payload execution.

It won first place in TyphoonPWN 2025’s Linux category, crediting the discoverer for meticulous kernel internals analysis.

Mitigation

Canonical responded swiftly, releasing an updated kernel on September 18, 2025, incorporating full upstream fixes to balance refcounts across both modified files.

Users on affected versions should update immediately via apt upgrade linux-generic, verifying kernel 6.8.0-61 or later.

This incident underscores the risks of selective backporting in distro kernels, urging administrators to monitor security advisories closely.

No widespread exploitation has been reported, but the public PoC elevates the urgency for patches in enterprise environments. (Word count: 412)

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.