Linux Kernel Flaw (CVE-2025-38236): Privilege Escalation Risk, PoC Code Available
Ddos 
Security researcher Jann Horn from Google Project Zero disclosed the technical details and proof-of-concept exploit code for a high-severity vulnerability in the Linux kernel — CVE-2025-38236 (CVSS 7.3) — that could allow attackers to escalate privileges, especially if the kernel address layout information, such as kernel address space layout randomization (KASLR), is exposed through freed memory.
This flaw is a use-after-free (UAF) flaw in the Linux kernel’s handling of the rarely-used MSG_OOB feature for stream-oriented UNIX domain sockets.
The vulnerability affects Linux kernel versions ≥ 6.9 and, despite its obscurity, was reachable inside the Chrome renderer sandbox — paving the way for a full sandbox escape and privilege escalation.
“While the MSG_OOB feature is not used by Chrome, it was exposed in the Chrome renderer sandbox. Since then, sending MSG_OOB messages has been blocked in Chrome renderers in response to this issue,” Horn wrote.
The bug resides in the manage_oob() logic for handling out-of-band (OOB) data. In certain message sequences, the kernel fails to clear a dangling ->oob_skb pointer before freeing the associated socket buffer (SKB). This results in a dangling pointer that can be exploited for controlled kernel reads and limited writes.
Horn demonstrated a simple trigger sequence using send() and recv() calls with the MSG_OOB flag, ending in a scenario where subsequent OOB reads dereference freed memory.
Horn set out to determine whether exploitation was practical from inside Chrome’s Linux Desktop renderer sandbox on an x86-64 Debian Trixie system. The challenge: escape directly from native code execution in the renderer to full kernel code execution.
The key primitive from the bug was a semi-arbitrary read via copy_to_user():
“By replacing the memory pointed to by oob_skb with controlled, repeatedly writable data, it is possible to repeatedly cause copy_to_user(<userspace pointer>, <kernel pointer>, 1) with arbitrary kernel pointers. As long as MSG_PEEK is set, this can be repeated.”
The write primitive was weaker — incrementing a 32-bit value at a fixed offset — but Horn leveraged it in a clever way. By reallocating freed SKB memory as part of the kernel stack (with help from CONFIG_RANDOMIZE_KSTACK_OFFSET), he could precisely corrupt stack variables to hijack execution flow.
Horn’s final exploit chained multiple primitives:
- Arbitrary read to leak kernel addresses and allocator state.
- Stack overwrite via UAF increment to alter copy length logic.
- Out-of-bounds write into page tables, creating writable user mappings of arbitrary kernel memory.
- Full kernel memory modification, demonstrated by altering the uname output.
“My exploit demonstrates its ability to modify kernel memory with this by using it to overwrite the UTS information printed by uname,” Horn states.
The proof-of-concept exploit code for this flaw is available here.
Related Posts:
- Four Critical RCE Flaws Found in Grafana Plugins via Chromium: Patch Now!
- 22-year-old Google cybersecurity researcher tell how to find CPU bugs
- Apple Releases Security Updates for Safari, watchOS, iOS, macOS High Sierra & tvOS
- Critical UAF Vulnerability Discovered in Ladybird Browser Engine (CVE-2025-47154)
- Linux Kernel Flaw: Root Privilege Escalation Via Use-After-Free, PoC Available!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
