{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/linux-kernel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2025-40271"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux Kernel"],"_cs_severities":["high"],"_cs_tags":["local-privilege-escalation","kernel-vulnerability","use-after-free","linux"],"_cs_type":"advisory","_cs_vendors":["Linux Kernel"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, CVE-2025-40271, affects Linux Kernel versions from approximately 3.14 up to 6.18-rc5. The vulnerability lies in the \u003ccode\u003eproc_readdir_de()\u003c/code\u003e function within the kernel\u0026rsquo;s proc filesystem implementation. When a \u003ccode\u003eproc_dir_entry\u003c/code\u003e is removed from the parent\u0026rsquo;s red-black tree, it isn\u0026rsquo;t properly marked as detached, leaving stale rb-links. An attacker can exploit this use-after-free condition to gain elevated privileges on the system by triggering a race condition. This involves calling \u003ccode\u003egetdents64()\u003c/code\u003e on a \u003ccode\u003e/proc\u003c/code\u003e subdirectory, specifically \u003ccode\u003e/proc/self/net/dev_snmp6/\u003c/code\u003e, while concurrently unregistering network devices. Successful exploitation allows an attacker to overwrite the \u003ccode\u003emodprobe_path\u003c/code\u003e for local privilege escalation. The vulnerability was patched in stable versions 5.10.247, 6.1.159, 6.12.73, and 6.18-rc6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sets up a user namespace with CAP_NET_ADMIN capabilities to manipulate network devices.\u003c/li\u003e\n\u003cli\u003eThe attacker creates multiple veth (virtual ethernet) pairs. These veth pairs populate the \u003ccode\u003e/proc/self/net/dev_snmp6/\u003c/code\u003e directory, which the exploit will target.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a race condition by calling \u003ccode\u003egetdents64()\u003c/code\u003e on the \u003ccode\u003e/proc/self/net/dev_snmp6/\u003c/code\u003e directory. This reads directory entries from the proc filesystem.\u003c/li\u003e\n\u003cli\u003eConcurrently with the \u003ccode\u003egetdents64()\u003c/code\u003e call, the attacker triggers the unregistration of network devices. This action removes proc entries, potentially freeing a \u003ccode\u003eproc_dir_entry\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the removed \u003ccode\u003eproc_dir_entry\u003c/code\u003e is not properly cleared, leaving stale links in the red-black tree.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetdents64()\u003c/code\u003e call encounters the freed \u003ccode\u003eproc_dir_entry\u003c/code\u003e and attempts to dereference its fields, resulting in a use-after-free condition. The attacker sprays the freed kmalloc-192 slots with \u003ccode\u003emsg_msg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts a kernel heap address from the leaked \u003ccode\u003ed_ino\u003c/code\u003e field, which is part of the \u003ccode\u003emsg_msg\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe extracted kernel heap address is used to calculate the address of \u003ccode\u003emodprobe_path\u003c/code\u003e, and the attacker overwrites it, leading to local privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unprivileged local attacker to escalate their privileges to root. This can lead to complete system compromise, including data theft, malware installation, and denial of service. While the provided exploit shows a hit rate of 40-60% per attempt and may require several attempts, the impact is significant due to the potential for full system control. This vulnerability affects a wide range of Linux kernel versions and could impact numerous systems if left unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the appropriate kernel patch from the Linux Kernel org, specifically commit 895b4c0c79b092d732544011c3cecaf7322c36a1, which adds the \u003ccode\u003epde_erase()\u003c/code\u003e helper function that calls \u003ccode\u003eRB_CLEAR_NODE()\u003c/code\u003e after \u003ccode\u003erb_erase()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for anomalous \u003ccode\u003ed_ino\u003c/code\u003e values in \u003ccode\u003egetdents64\u003c/code\u003e output, as indicated in the exploit description, which are indicative of a UAF condition. Deploy the Sigma rule \u003ccode\u003eDetect Anomalous d_ino Values in getdents64 Output\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement restrictions on user namespaces and network namespace creation to limit the attack surface, as the exploit requires CAP_NET_ADMIN.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected modifications to \u003ccode\u003emodprobe_path\u003c/code\u003e. Use the Sigma rule \u003ccode\u003eDetect modprobe_path Overwrite\u003c/code\u003e to identify attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eReview systems for the presence of vulnerable kernel versions (~3.14+ through 6.18-rc5) as detailed in the overview to prioritize patching efforts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-linux-kernel-lpe/","summary":"A local privilege escalation vulnerability exists in the Linux Kernel versions ~3.14+ through 6.18-rc5 due to a use-after-free in the proc_readdir_de() function, where a concurrent traversal can dereference a freed entry's fields during network device unregistration, leading to privilege escalation via modprobe_path overwrite.","title":"Linux Kernel proc_readdir_de() Use-After-Free Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-kernel-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Linux Kernel","version":"https://jsonfeed.org/version/1.1"}