Cybersecurity researchers have successfully exploited a critical zero-day vulnerability in the Linux kernel, earning a record-breaking $82,000 bounty through Google’s kernelCTF program.
The vulnerability, designated CVE-2025-38001, affects multiple Linux distributions, including Debian 12, Ubuntu, and Google’s Container-Optimized OS (COS).
Use-After-Free in Network Packet Scheduler
CVE-2025-38001 is a Use-After-Free vulnerability located in the Linux network packet scheduler, specifically within the Hierarchical Fair Service Curve (HFSC) queuing discipline.
The vulnerability emerges when HFSC is combined with Network Emulation (NETEM) and packet duplication is enabled.
The exploit leverages a double-class insertion mechanism in the HFSC eligible tree structure. Under normal conditions, this would trigger an infinite loop in the hfsc_dequeue() function due to an RBTree cycle.
However, researchers discovered that by implementing a Token Bucket Filter (TBF) as the root qdisc with extremely low rates, they could prevent packet dequeue operations and bypass the infinite loop.
The attack utilizes the following traffic control configuration:
bashtc qdisc add dev lo root handle 1:0 hfsc
tc class add dev lo parent 1:0 classid 1:1 hfsc rt m2 20Kbit
tc qdisc add dev lo parent 1:1 handle 2:0 netem duplicate 100%
Record-Breaking Exploitation Success
The research team, known as “Crusaders of Rust,” achieved the fastest kernelCTF submission in history, compromising the Linux Kernel Runtime Security (LTS) instance in just 3.6 seconds.
Their exploit employed a sophisticated page-level data-only attack strategy, utilizing RBTree pointer copy primitives to achieve kernel privilege escalation.
The vulnerability affects critical kernel functions, including hfsc_enqueue(), rb_insert_color(), and free_pg_vec().
The exploit manipulates packet ring page vectors to create a page Use-After-Free condition, ultimately allowing attackers to overwrite process credentials and gain root access.
The vulnerability has been patched in the commit ac9fe7dd8e730a103ae4481147395cc73492d786, and system administrators are urged to update their kernel versions immediately.
This discovery highlights the ongoing importance of kernel security research and the effectiveness of responsible disclosure programs in identifying critical infrastructure vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability, designated CVE-2025-38001, affects multiple Linux distributions including Debian 12, Ubuntu, and Google's Container-Optimized OS (COS).){kind=link}