CyberSecurity News

CentOS 9 Vulnerability: Attacker Escal Lets Attackers

A critical use-after-free (UAF) vulnerability has been discovered in the Linux kernel’s sch_cake queuing discipline (Qdisc). This flaw affects CentOS 9, enabling local users to gain root privileges....

David kimber
David kimber
February 6, 2026 2 Min Read
4 0

A critical use-after-free (UAF) vulnerability has been discovered in the Linux kernel’s sch_cake queuing discipline (Qdisc). This flaw affects CentOS 9, enabling local users to gain root privileges.

Security firm SSD Secure Disclosure published details on February 5, 2026, noting the flaw won first place in the Linux category at TyphoonPWN 2025.

The issue arises in the cake_enqueue function of the CAKE Qdisc, which returns NET_XMIT_SUCCESS even after dropping packets due to buffer limits.

This misleads parent classful Qdiscs like HFSC, leading to improper state management and a UAF when dequeuing packets. Attackers can exploit this for arbitrary code execution in kernel context, achieving local privilege escalation (LPE).

When buffer_used exceeds buffer_limit, cake_enqueue drops packets via cake_drop but signals success. In a stacked setup (HFSC over CAKE), HFSC enqueues without error checks, calling init_ed to add the class to its active list.

Deleting the HFSC class purges the child CAKE Qdisc via qdisc_purge_queue, but since CAKE is empty, qlen_notify skips removal from HFSC’s active list.

This leaves a dangling pointer. During hfsc_dequeue, eltree_get_mindl selects the freed class, and qdisc_dequeue_peeked triggers UAF on cl->qdisc. The exploit leverages this for RIP control via a sprayed fake Qdisc with ROP gadgets.

Key code flaw in cake_enqueue:

textif (q->buffer_used > q->buffer_limit) {
    // drops packets
}
return NET_XMIT_SUCCESS;  // Misleads parent

Exploitation Details

The PoC bypasses KASLR using prefetch side-channel timing attacks, spraying fake Qdiscs via sendmsg with crafted control messages, reads the advisory.

It sets up HFSC (0x10000) with classes, adds CAKE child, triggers drop via loopback send, deletes class to create UAF, then sprays ROP chain for modprobe_path overwrite. Finally, triggers modprobe for root shell via unhandled file type.

No CVSS score yet, but impact is high: local attacker to root on CentOS 9 systems using CAKE.​

Red Hat (CentOS upstream) was notified over 90 days ago; response: “Work in progress, no release yet.” Similar past CAKE flaws (e.g., CVE-2022-50452 null deref) were patched via kernel updates.

Mitigation Steps

  • Avoid CAKE Qdisc: tc qdisc del dev lo root or switch to alternatives like HTB.
  • Monitor tc commands and unusual netlink traffic.
  • Update kernel when patched; disable unneeded Qdisc modules.
  • Use namespaces/user isolation for risky workloads.

This LPE highlights kernel traffic control risks; admins should audit Qdisc usage promptly.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts