A critical vulnerability in Ubuntu’s Linux kernel has been disclosed that allows local attackers to escalate privileges and potentially obtain root access on vulnerable systems.

Revealed at TyphoonPWN 2025, the flaw is caused by a reference count imbalance in the af_unix subsystem and results in a use-after-free (UAF) condition; researchers demonstrated the issue with a complete proof-of-concept exploit.

The bug affects Ubuntu 24.04.2 running the 6.8.0-60-generic kernel, underscoring persistent challenges around backporting and patch consistency in distro kernels. The underlying problem stems from Ubuntu’s partial application of upstream kernel fixes for af_unix reference-counting errors — specifically, Ubuntu applied changes to af_unix.c but did not update garbage.c correspondingly.

af_unix domain sockets provide inter-process communication and include mechanisms for sending file descriptors between processes. Upstream kernel work replaced the old circular-reference garbage collection with a new approach and altered how out-of-band (OOB) socket buffer (skb) references are managed. In upstream patches, the skb_get() call was removed from queue_oob in af_unix.c to prevent unnecessary increments to u->oob_skb, and corresponding garbage-collection logic was adjusted to match. Ubuntu’s kernel retained the legacy garbage collector while only applying the af_unix.c edit, creating a mismatch: oob_skb can be allocated with a single reference but then decremented twice — once by kfree_skb in unix_gc and again by unix_release_sock during socket teardown — producing a UAF on the 256-byte sk_buff object allocated from skbuff_head_cache.

SSD Disclosure observed that while either function could free the object, practical exploitation reliably sees unix_gc free the skb followed by a use in unix_release_sock.

The exploit requires separating the free and later use to be reliable. The researchers achieved this by forcing garbage collection immediately after socket closure through a high unix_tot_inflight count (exceeding ~16,000) during a subsequent sendmsg, which triggers wait_for_unix_gc. To maintain the timing window before unix_release_sock executes as a TWA_RESUME work item, the exploit intentionally pauses kernel execution via a FUSE-backed mmap buffer inside skb_copy_datagram_from_iter, making a kernel thread sleep for several seconds using a custom FUSE_read handler.

A cross-cache technique was used to free and then reallocate the slab page with attacker-controlled pg_vec structures sprayed via packet sockets on the loopback interface. Overwriting the freed skb allowed control of its destructor in skb_release_head_state, enabling hijack of RIP and RDI registers. The exploit defeats KASLR using a prefetch side-channel variant of Entrybleed — applying statistical timing analysis on systems without KPTI — achieving a reliable kernel address leak. Final privilege escalation is achieved by building ROP chains that overwrite modprobe_path to point at “/tmp/x,” a script that, when invoked by usermodehelper, grants root access.

The PoC is a sophisticated C exploit that compiles along with helper utilities and FUSE components, demonstrating full escalation including KASLR disclosure, slab spraying, and payload execution. It earned first place in TyphoonPWN 2025’s Linux category and credited the researcher for deep kernel-internals analysis.

Mitigation

Canonical responded on September 18, 2025, releasing an updated kernel that incorporates the complete upstream fixes to restore balanced refcount handling across the affected files. Users running the vulnerable release should update immediately using apt (e.g., apt upgrade linux-generic) and confirm they are on kernel 6.8.0-61 or later.

This incident highlights the dangers of selective backporting in distribution kernels and reinforces the need for administrators to closely follow security advisories. Although there have been no reports of widespread exploitation, the public availability of a PoC raises the priority for patching in enterprise environments.