A critical use-after-free (UAF) vulnerability in the Linux kernel’s sch_cake queuing discipline (Qdisc) affects CentOS 9, allowing local users to gain root privileges.
Security firm SSD Secure Disclosure published details on February 5, 2026, noting the flaw won first place in the Linux category at TyphoonPWN 2025.
The issue arises in the cake_enqueue function of the CAKE Qdisc, which returns NET_XMIT_SUCCESS even after dropping packets due to buffer limits.
This misleads parent classful Qdiscs like HFSC, leading to improper state management and a UAF when dequeuing packets. Attackers can exploit this for arbitrary code execution in kernel context, achieving local privilege escalation (LPE).
When buffer_used exceeds buffer_limit, cake_enqueue drops packets via cake_drop but signals success. In a stacked setup (HFSC over CAKE), HFSC enqueues without error checks, calling init_ed to add the class to its active list.
Deleting the HFSC class purges the child CAKE Qdisc via qdisc_purge_queue, but since CAKE is empty, qlen_notify skips removal from HFSC’s active list.
This leaves a dangling pointer. During hfsc_dequeue, eltree_get_mindl selects the freed class, and qdisc_dequeue_peeked triggers UAF on cl->qdisc. The exploit leverages this for RIP control via a sprayed fake Qdisc with ROP gadgets.
Key code flaw in cake_enqueue:
textif (q->buffer_used > q->buffer_limit) {
// drops packets
}
return NET_XMIT_SUCCESS; // Misleads parent
Exploitation Details
The PoC bypasses KASLR using prefetch side-channel timing attacks, spraying fake Qdiscs via sendmsg with crafted control messages, reads the advisory.
It sets up HFSC (0x10000) with classes, adds CAKE child, triggers drop via loopback send, deletes class to create UAF, then sprays ROP chain for modprobe_path overwrite. Finally, triggers modprobe for root shell via unhandled file type.
No CVSS score yet, but impact is high: local attacker to root on CentOS 9 systems using CAKE.
Red Hat (CentOS upstream) was notified over 90 days ago; response: “Work in progress, no release yet.” Similar past CAKE flaws (e.g., CVE-2022-50452 null deref) were patched via kernel updates.
Mitigation Steps
- Avoid CAKE Qdisc:
tc qdisc del dev lo rootor switch to alternatives like HTB. - Monitor tc commands and unusual netlink traffic.
- Update kernel when patched; disable unneeded Qdisc modules.
- Use namespaces/user isolation for risky workloads.
This LPE highlights kernel traffic control risks; admins should audit Qdisc usage promptly.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
