Researchers exploited CVE-2025-38001—a previously unknown Use-After-Free (UAF) vulnerability in the Linux HFSC queuing discipline—to compromise all Google kernelCTF instances (LTS, COS, and mitigation) as well as fully patched Debian 12 systems.
Their work netted an estimated $82,000 in cumulative bounties and underscores the continuing importance of in-depth code auditing beyond automated fuzzing.
Key Takeaways
1. NETEM’s packet duplication bug in HFSC qdisc plus TBF rate-limiting turned an infinite RBTree loop into a reliable Use-After-Free.
2. An RBTree pointer-copy trick caused a page-UAF and arbitrary write.
3. Root achieved on Debian 12 and all Google kernelCTF instances; fix available.
Linux Kernel Root Exploit
According to researchers D3vil and FizzBuzz101, the exploit is based on the logic flaw in hfsc_enqueue() that allows a class to be inserted twice into the HFSC “eligible” RBTree when used in conjunction with the NETEM qdisc’s packet duplication feature:
NETEM’s duplicate option triggers a reentrant call to hfsc_enqueue(), causing init_ed() to run twice and create a cyclic RBTree.
Normally, the resulting infinite loop in hfsc_dequeue() would hang the kernel, but by stacking a TBF qdisc at the root with an extremely low rate, researchers prevented dequeue operations long enough to free the class and trigger a UAF when a new class is inserted.
Exploiting the UAF required an innovative pointer-copy primitive based on controlled RBTree transformations.
After freeing the duplicated class node and overlaying its memory with a packet ring’s page vector (pgv), the team leveraged eltree_insert(), eltree_remove(), and the Linux rbtree rebalancing routines (__rb_insert() and __rb_erase_augmented()) to copy a page pointer from one pgv to another. The sequence:
Trigger double insertion and free class 2:1.
Spray two page vectors at the freed slot, forging the RBTree nodes to point into user-controlled pages.
Insert class 2:2 to leak its el_node address.
Update class 2:2 to rebalance and overwrite a target page vector’s first entry with a pointer to the attacker-controlled page.
Delete class 2:2 to propagate the pointer into the victim pgv via rb_erase(), yielding a page-UAF.
Once the page-UAF was established, remapping via packet_mmap() and controlled unmapping (munmap()) allowed the attackers to free the shared page prematurely.
A rapid reuse of the freed page with signalfd file structures enabled arbitrary write primitives, culminating in credential overwrites that granted root on both Debian 12 and the various kernelCTF environments.
This exploit highlights that even subtle logic oversights in kernel qdiscs can lead to powerful UAF and data-only attacks without relying on classic ROP chains.
The vulnerability was patched in commit ac9fe7dd8e730a103ae4481147395cc73492d786, and CVE-2025-38001 has been assigned.
Kernel maintainers and distribution vendors are urged to ensure timely deployment of the fix, while researchers should continue to complement automated fuzzing with manual code reviews, particularly in complex subsystems like traffic control, to preempt similarly sophisticated exploits.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post Researchers Exploited Google kernelCTF Instances And Debian 12 With A 0-Day appeared first on Cyber Security News.
