Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One)

syst3mfailure.io

Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One)

syst3mfailure.io

RSS BotMB to Lobste.rsEnglish · 21 days ago

[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS)

syst3mfailure.io

CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplication is enabled, using HFSC_RSC it is possible to cause a double class insertion in the HFSC eligible tree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue() due to an RBTree cycle. However, by adding TBF as root qdisc, it is possible to prevent packets from being dequeued, bypass the infinite loop, free the class, and trigger a Use-After-Free.

Comments

You must log in or register to comment.

Chat