Analysis Summary

A recently disclosed use-after-free (UAF) in Ubuntu’s af_unix subsystem arises from a reference-count imbalance introduced by selective backporting: Ubuntu’s 6.8.0-60-generic (24.04.2) kernel incorporated the upstream af_unix change that removed skb_get() from queue_oob() but failed to apply the corresponding updates to the garbage-collection path in garbage.c. That mismatch makes an OOB sk_buff lose one reference during allocation but be decremented twice (once in unix_gc and once in unix_release_sock), producing a reliable UAF on the 256-byte sk_buff object allocated from skbuff_head_cache. Researcher disclosure writeup explain that practical exploitation most often sees the free occur in unix_gc with a subsequent use in unix_release_sock.

The proof-of-concept exploit demonstrated at TyphoonPWN 2025 turns that logical bug into a deterministic local root by forcing garbage collection immediately after socket close via a very high unix_tot_inflight (reported >16,000) to separate free and use phases; pausing the kernel thread path with a FUSE mmap’d buffer in skb_copy_datagram_from_iter (a custom read handler sleeps) to widen timing; performing a cross-cache reclaim and spraying controlled pg_vec structures via packet sockets on loopback to reclaim the freed slab page; and overwriting the freed skb to hijack destructor invocation in skb_release_head_state, gaining control of registers and crafting ROP chains. The exploit also includes a KASLR leak via a prefetch-side-channel (Entrybleed-style) timing attack to defeat randomization on non-KPTI systems.

The delivered PoC is a full C exploit (with helper utils and FUSE components) that demonstrates the complete chain KASLR leak, slab reclaim/spray, ROP, and final payload that overwrites modprobe_path to "/tmp/x" so a usermodehelper invocation runs a script granting root and it was awarded first place in the TyphoonPWN 2025 Linux category. The disclosure authors and secondary reports walk through the exact kernel internals used (OOB skb handling, garbage collection timing, TWA_RESUME/work-queue ordering, and slab reuse techniques), so the public PoC materially raises the risk profile for unpatched systems.

Researcher released a fix that brings the Ubuntu kernel fully in line with the upstream refcounting fixes; the vendor advisory notes the updated package was released on 18 September 2025 and users should upgrade to the corrected kernel (verify 6.8.0-61 or later) via the usual channels (apt upgrade linux-generic) and reboot. Because this vulnerability is local but now PoC-public, administrators should prioritize patching, verify kernel versions across inventory, and monitor for unusual local privilege escalation activity the incident also highlights the danger of selective backports and the need for careful cross-file patch application and testing in distribution kernels.

Impact

• Gain Access
• Privilege Escalation

Remediation

• Apply the vendor patch immediately
• Run sudo apt update && sudo apt install --only-upgrade linux-generic and reboot into the updated kernel.
• Verify with uname -r — target version 6.8.0-61 or later.
• Enable Canonical Livepatch or vendor livepatch if rebooting is temporarily not possible.
• Remove affected hosts from sensitive networks and restrict remote access.
• Place vulnerable systems in quarantine or maintenance mode until patched.
• Review and restrict sudoers and local accounts to enforce least privilege.
• Disable or limit FUSE usage and other user-space filesystems if not required.
• Check for unexpected or modified modprobe_path entries such as /tmp/x.
• Scan for new suid/sgid binaries or suspicious processes launched from /tmp.
• Inspect system logs (auth.log, syslog, kern.log, audit logs) for anomalies.
• Detect unusual FUSE activity, very high unix_tot_inflight counts, or heavy loopback packet-socket usage.
• Examine memory and kernel module listings for unknown or suspicious entries.
• Deploy rules to detect abnormal socket behaviour or exploit-like activity.
• Add endpoint detection signatures for PoC tools or FUSE helper binaries.
• Identify all Ubuntu 24.04.2 hosts and prioritize patching critical systems.
• Update configuration management tools to automate kernel upgrades.