August 9, 2025: A severe security vulnerability in the Linux kernel, dubbed CVE-2025-38236, has been uncovered by Google Project Zero researcher Jann Horn, exposing a pathway for attackers ranging from native code execution within the Chrome renderer sandbox to full kernel-level control on Linux systems.
The flaw, tied to the obscure MSG_OOB feature in UNIX domain sockets, affects Linux kernels version 6.9 and above, raising alarms about the security of browser sandboxes and the risks of esoteric kernel functionalities.
MSG_OOB Bug Opens Door to Kernel Exploitation
Discovered in early June during a code review of a new Linux kernel feature, the vulnerability stems from the MSG_OOB (out-of-band) functionality introduced in Linux 5.15 in 2021.
Primarily used in niche Oracle applications, MSG_OOB was enabled by default in kernels supporting UNIX domain sockets and was inadvertently accessible within Chrome’s Linux renderer sandbox due to unfiltered syscall flags.
The bug triggers a use-after-free (UAF) condition, which Horn demonstrated can be exploited with a straightforward sequence of socket operations, enabling attackers to manipulate kernel memory and potentially gain elevated privileges.
The exploit, detailed on Google Project Zero’s bug tracker, showcases a sophisticated attack on a Debian Trixie system running x86-64 architecture.
By leveraging a UAF-induced read primitive, attackers can copy arbitrary kernel memory to user space, bypassing usercopy hardening restrictions.
Horn’s approach involves reallocating freed memory as pipe pages or kernel stacks, using techniques like page table manipulation and mprotect() toOCB) pointer, which remains dangling, leading to a UAF when a subsequent recv(…, MSG_OOB) call accesses it.
The exploit’s success hinges on Debian’s CONFIG_RANDOMIZE_KSTACK_OFFSET feature, which randomizes stack offsets per syscall.
Horn turned this mitigation into an advantage, using the read primitive to detect optimal stack alignments, enabling precise memory corruption.
The Linux kernel has since been patched, and Chrome has updated its sandbox to block MSG_OOB messages, closing this specific attack vector.
Sandbox Weaknesses and Fuzzer Limitations Exposed
The initial bug was detected by Google’s syzkaller fuzzing tool in August 2024, requiring six syscalls to trigger, while a related, more complex issue found by Horn needed eight.
This highlights the challenge fuzzers face in navigating complex kernel data structures like socket buffers (SKBs).
Horn suggests enhancing fuzzers to focus on specific kernel subsystems to uncover such vulnerabilities better, as the probability of randomly hitting the proper syscall sequence drops exponentially with each additional call.
The exploit also reveals the extensive attack surface in Chrome’s Linux renderer sandbox, which exposes interfaces like anonymous VMAs, UNIX sockets, pipes, and syscalls such as sendmsg() and mprotect(). Many of these are unnecessary for renderer functionality, increasing the risk of exploitation.
Past Chrome vulnerabilities, including those involving futex(), memfd_create(), and pipe2(), underscore how obscure kernel features can introduce unintended vulnerabilities when exposed in sandboxes.
Horn’s findings also challenge the efficacy of probabilistic mitigations like per-syscall stack randomization against attackers with arbitrary read capabilities, as these can be bypassed by repeatedly checking randomization outcomes.
The use of mprotect() to delay copy_from_user() operations further suggests that restricting features like userfaultfd may not fully mitigate such risks, as alternative methods can achieve similar delays.
This vulnerability underscores the need for stricter sandbox restrictions and a reevaluation of kernel features exposed to unprivileged processes.
Horn plans to conduct a deeper analysis of Chrome’s Linux renderer sandbox in a future report.
For now, Linux users are urged to apply the latest kernel patches, and developers are encouraged to scrutinize esoteric kernel features embedded in core system interfaces to prevent similar exploits.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
