Security researchers have successfully exploited a critical zero-day vulnerability in the Linux kernel, compromising multiple Google kernelCTF instances and Debian 12 systems with a near-perfect success rate.
The vulnerability, now designated as CVE-2025-38001, represents a sophisticated Use-After-Free vulnerability in the Linux network packet scheduler that researchers weaponized using advanced exploitation techniques.
The vulnerability was discovered between April and May 2025 by security researchers working under the team name “Crusaders of Rust,” led by William Liu (FizzBuzz101) and his collaborator.
Discovery emerged from Liu’s master’s thesis project involving a custom fuzzing framework based on Syzkaller, specifically targeting the net/sched subsystem of the Linux kernel.
The research team achieved a historic milestone in Google’s kernelCTF competition, successfully compromising the LTS instance and capturing the flag in just 3.6 seconds after the system went live – marking the fastest submission in Google kernelCTF history.
Their rapid-fire approach targeted an expected cumulative bounty of approximately $82,000 across multiple instances, including LTS 6.6.*, COS 105, COS 109, and Debian 12 systems. At this point, we are ready to insert class 2:2 in the tree and leak its address.
The team’s success prompted an immediate response from Google, which disabled the Proof-of-Work (PoW) mechanism following their submission.
Team member Timothy Herchen (anematode) had developed a method to break the kCTF PoW using AVX512 instructions, while other teammates optimized the submission process to achieve their record-breaking time.
HFSC Vulnerability Mechanics
CVE-2025-38001 exploits a critical vulnerability in the HFSC (Hierarchical Fair Service Curve) queuing discipline within the Linux network packet scheduler.
The vulnerability occurs when HFSC is configured with NETEM (Network Emulation) and packet duplication is enabled, creating a dangerous condition where a class can be inserted twice into the HFSC eligible tree.
Under normal circumstances, this double insertion would trigger an infinite loop in the hfsc_dequeue() function due to an RBTree cycle Node C becomes node P’s parent.
However, the researchers discovered that by adding TBF (Token Bucket Filter) as the root qdisc with a very low rate, they could prevent packet dequeuing, bypass the infinite loop, and ultimately trigger a Use-After-Free condition.
The technical exploitation involved a sophisticated “page-level data-only attack” that manipulated RBTree transformations to achieve a pointer copy primitive.
This allowed the researchers to corrupt page vectors in packet rings, ultimately leading to a page-UAF (Use-After-Free) that enabled privilege escalation by zeroing out the current process credentials.
Industry Impact and Coordinated Disclosure
The vulnerability affects multiple enterprise-grade Linux distributions and has been officially patched through commit ac9fe7dd8e730a103ae4481147395cc73492d786.
The researchers developed a portable exploit that demonstrated remarkable reliability across different Linux environments, achieving close to 100% success rate on targeted systems.
Their approach showcased advanced kernel exploitation techniques, including heap grooming with packet rings and sophisticated manipulation of kernel data structures.
The discovery highlights the ongoing importance of both automated fuzzing techniques and manual code auditing in vulnerability research.
As the researchers noted, their initial fuzzing results required careful manual analysis to fully understand the exploitable conditions, emphasizing that automated tools alone cannot replace expert human analysis in critical security research.
This vulnerability serves as a reminder of the complex interdependencies within kernel subsystems and the potential for seemingly innocuous network scheduling features to harbor critical security vulnerabilities when combined in unexpected ways.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
