Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Critical Vulnerability in the Linux Kernel: A New Privilege Escalation

Redazione RHC : 11 July 2025 09:56

A critical double-free vulnerability has been discovered in the pipapo set module of the NFT subsystem of the Linux kernel. An unprivileged attacker can exploit this vulnerability by sending a specially crafted netlink message, triggering a double-free with high stability fault. An attacker can leverage kernel exploit techniques to achieve local privilege escalation.

The vulnerability resides in the nft_add_set_elem function located in net/netfilter/nf_tables_api.c, where an uninitialized stack variable struct nft_set_elem elem becomes the source of the security flaw. SSD analysts reported that the issue occurs when the CONFIG_INIT_STACK_ALL_ZERO configuration option is disabled, leaving uninitialized data on the stack that taints the element key during processing.

The vulnerable code path processes the user-supplied NFTA_SET_ELEM_KEY data, but initializes memory only to the key length (klen), leaving the remaining buffer contents with uninitialized stack data. This uninitialized memory typically contains pointers from previous kernel function calls, which trigger the double-free condition when the pipapo set attempts to remove elements.

The exploit process involves a sophisticated heap exploitation technique that allows bypassing KASLR and establishing an arbitrary write primitive. The vulnerability affects Linux kernel versions 5.6-rc1 through 6.13-rc3 and requires specific kernel configurations, including:

  • CONFIG_INIT_STACK_ALL_ZERO=n
  • CONFIG_NETFILTER=y
  • CONFIG_NF_TABLES=y
  • CONFIG_USER_NS=y

This vulnerability presents significant security risks because it provides a reliable double-free primitive that can be exploited for local privilege escalation. The attack achieves high stability through brute-force techniques that identify optimal key lengths to trigger the bug on specific kernel configurations.

Effective mitigation strategies include enabling the CONFIG_INIT_STACK_ALL_ZERO kernel compile option, which initializes local variables to zero and prevents uninitialized data taint. Additionally, applying the patch available from the Netfilter development team addresses the root cause by correctly initializing the elem structure.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Categories
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr