An independent researcher named Alexander Popov has presented a new technique for exploiting a critical vulnerability in the Linux kernel, assigned the identifier CVE-2024-50264. This use-after-free error in the AF_VSOCK subsystem has been present since kernel version 4.8 and allows an unprivileged local user to throw an error when working with a virtio_vsock_sock object during connection establishment.
The complexity and scale of the issue earned the bug a 2025 Pwnie Award in the “Best Privilege Escalation” category.
Previously, the issue was thought to be extremely difficult to exploit due to kernel defense mechanisms, such as randomized cache distribution and the peculiarities of SLAB buckets, which interfere with simple methods like heap spraying.
However, Popov managed to develop a set of techniques that remove these restrictions. The work was done as part of the open kernel-hack-drill platform, which is designed to test kernel exploits.
The key step was the use of a special type of POSIX signal that doesn’t terminate the process. It interrupts the connect() system call, allowing race conditions to be reliably reproduced and the attack to remain undetected.
Subsequently, the researcher learned to control the behavior of memory caches by substituting their own structures for released objects. Timing tuning allows you to slide previously prepared data exactly where the vulnerable element was previously located.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
