Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A critical double-free vulnerability has been discovered in the pipapo set module of the NFT subsystem of the Linux kernel. An unprivileged attacker can exploit this vulnerability by sending a specially crafted netlink message, triggering a double-free with high stability fault. An attacker can leverage kernel exploit techniques to achieve local privilege escalation.
The vulnerability resides in the nft_add_set_elem function located in net/netfilter/nf_tables_api.c, where an uninitialized stack variable struct nft_set_elem elem becomes the source of the security flaw. SSD analysts reported that the issue occurs when the CONFIG_INIT_STACK_ALL_ZERO configuration option is disabled, leaving uninitialized data on the stack that taints the element key during processing.
The vulnerable code path processes the user-supplied NFTA_SET_ELEM_KEY data, but initializes memory only to the key length (klen), leaving the remaining buffer contents with uninitialized stack data. This uninitialized memory typically contains pointers from previous kernel function calls, which trigger the double-free condition when the pipapo set attempts to remove elements.
The exploit process involves a sophisticated heap exploitation technique that allows bypassing KASLR and establishing an arbitrary write primitive. The vulnerability affects Linux kernel versions 5.6-rc1 through 6.13-rc3 and requires specific kernel configurations, including:
This vulnerability presents significant security risks because it provides a reliable double-free primitive that can be exploited for local privilege escalation. The attack achieves high stability through brute-force techniques that identify optimal key lengths to trigger the bug on specific kernel configurations.
Effective mitigation strategies include enabling the CONFIG_INIT_STACK_ALL_ZERO kernel compile option, which initializes local variables to zero and prevents uninitialized data taint. Additionally, applying the patch available from the Netfilter development team addresses the root cause by correctly initializing the elem structure.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
