Researchers Use 0-Day to Exploit Google kernelCTF and Debian 12
Security researchers have uncovered and weaponized a critical Use-After-Free vulnerability (CVE-2025-38001) in the Linux network packet scheduler’s HFSC queuing discipline, successfully compromising Google kernelCTF instances—LTS, COS, and mitigation—and fully updated Debian 12.
By ingeniously combining HFSC’s real-time scheduling mode, NETEM’s packet duplication feature, and a throttled Token Bucket Filter (TBF) root queue, the attack transforms an innocuous infinite loop into a reliable exploit, netting approximately $82 000 in bounties.
Vulnerability Mechanics
HFSC maintains an “eligible tree” (an RBTree) of packet classes awaiting service. When NETEM’s duplication is active under HFSC’s real-time service curve, each packet enqueues twice due to a reentrant call.
| CVE ID | Description | Affected Targets | Patch/Commit |
| CVE-2025-38001 | Use-After-Free in HFSC eligible RBTree when NETEM duplication triggers double class insertion; infinite loop turned UAF. | Linux kernels ≤ 6.6.7; Debian 12; Google kernelCTF LTS 6.6.*, COS-105, COS-109 | Fixed by commit ac9fe7dd8e73 ac9fe7dd8e73 |
This double insertion forms a cycle in the RBTree, causing the dequeue operation to loop infinitely.
Introducing a low-rate TBF root queue prevents packet removal long enough to free the redundant class, leaving a dangling RBTree node.
A subsequent enqueue of a different class then triggers a Use-After-Free, granting kernel heap corruption.
Rather than relying on a traditional ROP chain, the team developed a page-vector-based pointer copy primitive.
They replaced the freed HFSC class object with a user-controlled kernel page vector, coercing RBTree pointer manipulations to copy a kernel page pointer from one vector into another.
This mismatch in reference counts produced a page-level Use-After-Free, which they leveraged to overwrite their process credentials, escalating to root.
The exploit achieved near-perfect reliability against:
- Debian 12 (kernel 6.6 and later)
- Google’s LTS, COS-105, and COS-109 kernelCTF instances
Using optimized submission scripts and GPU-accelerated PoW solving, the team stole the LTS flag in just 3.6 seconds—the fastest in Google kernelCTF history—and quickly captured the COS flags.
They then bypassed Google’s mitigation challenge, demonstrating full chain bypass against experimental defenses.
Google’s security team has fixed the root cause in commit ac9fe7dd8e73, which validates and prevents duplicate RBTree entries. The patch has been merged upstream and is included in Linux 6.6.8 and Debian 12’s forthcoming point releases.
Mitigation strategies until patching include disabling NETEM’s duplication feature under HFSC or avoiding HFSC_RSC on untrusted hosts.
This research underscores the enduring value of manual code auditing alongside fuzzing. Complex scheduler interactions can yield nonobvious vulnerabilities, and inventive queue throttling can convert a harmless loop into a potent exploitable flaw.
With CVE-2025-38001 now resolved, system administrators should update their kernels promptly and review traffic-control configurations to eliminate risky HFSC+NETEM combinations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
