Ofufuza zachitetezo ochokera ku Google apeza vuto mu kernel Linux Pali vuto la kukwezedwa kwa mwayi (CVE-2025-38236). Pakati pa zinthu zina, vutoli limalola kunyalanyaza njira yodzipatula ya sandbox yomwe imagwiritsidwa ntchito mu Google Chrome ndikukwaniritsa kugwiritsa ntchito ma code a kernel-level pochita ma code potengera njira yoperekera ma sandbox ya Chrome (mwachitsanzo, pogwiritsa ntchito vuto lina mu Chrome). Vutoli limayamba ndi kernel. Linux 6.9 ndipo yakhazikika mu zosintha za kernel Linux 6.1.143, 6.6.96, 6.12.36 ndi 6.15.5. Chitsanzo cha exploit chikupezeka kuti mutsitse.
Kufooka kumeneku kumachitika chifukwa cha cholakwika chokhazikitsa mbendera ya MSG_OOB, yomwe ingathe kukhazikitsidwa pa AF_UNIX sockets. Mbendera ya MSG_OOB ("kunja kwa gulu") imalola kuti byte yowonjezera iphatikizidwe ku deta yomwe ikutumizidwa, yomwe wolandirayo angawerenge asanalandire deta yonse. Mbendera iyi idawonjezedwa ku kernel. Linux 5.15 idapemphedwa ndi Oracle ndipo idaperekedwa kuti isagwiritsidwe ntchito chaka chatha chifukwa sinavomerezedwe kwambiri.
Kukhazikitsa kwa sandbox kwa Chrome kumapangitsa kuti UNIX igwire ntchito ndi kutumiza ()/recv() kuyimba komwe mbendera ya MSG_OOB idaloledwa pamodzi ndi zosankha zina ndipo sizinasefedwe padera. Vuto mu kukhazikitsa kwa MSG_OOB kunalola kuti kugwiritsidwa ntchito pambuyo paulere kuchitike mutayimba ma foni amndandanda: char dummy; masokosi [2]; socketpair(AF_UNIX, SOCK_STREAM, 0, masokosi); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, MSG_OOB); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, MSG_OOB); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, 0); recv(masokisi[0], &dummy, 1, MSG_OOB);
Source: opennet.ru
