A critical security flaw has been identified in CentOS 9 that allows a local user to escalate their privileges to root.
The vulnerability, which stems from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, was awarded first place in the Linux category at the TyphoonPWN 2025 hacking competition.
A Proof-of-Concept (PoC) exploit has now been released, demonstrating how attackers can leverage this flaw to gain full control over affected systems.
The vulnerability exists within the sch_cake (Common Applications Kept Enhanced) packet scheduler.
It allows a standard local user to trigger a memory corruption bug that can be exploited to execute arbitrary code with root permissions.
Despite the vendor being notified over 90 days ago, no official patch has been released, with the only status update being that work is “in progress.”
The sch_cake Logic Error
The core of the issue lies in how the CAKE queuing discipline (Qdisc) handles packet drops.
Specifically, the cake_enqueue function incorrectly reports success (NET_XMIT_SUCCESS) to its parent scheduler even when it drops a packet due to buffer limits.
When a classful scheduler like HFSC (Hierarchical Fair Service Curve) is stacked on top of CAKE, it relies on this return value.
Because CAKE claims the packet was queued successfully, HFSC keeps a reference to the class.
However, because the packet was actually dropped, the class can be freed while HFSC still thinks it is active. This leaves a “dangling pointer” a reference to memory that is no longer valid.
The root cause is visible in the cake_enqueue function logic below. Note how cake_drop is called to discard data, yet the function returns NET_XMIT_SUCCESS at the end:
cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sk_buff **to_free)
{
// ...
if (q->buffer_used > q->buffer_limit) { // [1] Check buffer limit
u32 dropped = 0;
while (q->buffer_used > q->buffer_limit) {
dropped++;
cake_drop(sch, to_free); // [2] Packet is DROPPED here
}
b->drop_overlimit += dropped;
}
return NET_XMIT_SUCCESS; // [!] Returns SUCCESS anyway
}
Exploitation Methodology
According to SSD Disclosure, the released PoC demonstrates a reliable exploit chain. The attacker first sprays “fake” Qdisc objects onto the kernel heap to control the memory layout.
By triggering the UAF condition, they can redirect the kernel’s execution flow to their own code.
Key steps in the exploit include:
- KASLR Bypass: Using a prefetch side-channel attack to identify the randomized location of kernel code.
- Heap Spraying: Using
sendmsgto flood the heap with fake objects, ensuring the dangling pointer lands on attacker-controlled data. - ROP Chain: Constructing a Return-Oriented Programming (ROP) chain to hijack the execution path, overwrite the
modprobe_path, and execute a script as root.
The following snippet shows the ROP chain setup used to gain execution control:
cvoid rop_chain(uint64_t* data){
int i = 0;
data[i++] = kbase + POP_RDI_RET; // Prepare stack for payload
data[i++] = kbase + PUSH_RDI_POP_RSP_RET; // Stack pivot
data[i++] = kbase + POP_RDI_RET;
data[i++] = 0x782f706d742f; // String: "/tmp/x"
data[i++] = kbase + POP_RSI_RET;
data[i++] = kbase + MODPROBE_PATH; // Overwrite modprobe_path
data[i++] = kbase + MOV_RSI_RDI_RET; // Execute write
data[i++] = kbase + SWAPGS; // Restore user state
data[i++] = kbase + IRETQ; // Return to user space
// ... (Restore registers)
}
There is no official patch available for CentOS 9 systems. Administrators are advised to monitor for kernel updates and restrict access to the tc (traffic control) command or the loading of the sch_cake module where possible until a fix is deployed.
The vendor has acknowledged the flaw but has not provided a release timeline.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google