Researchers took advantage of kernelCTF instances on Google and a zero-day vulnerability in Debian 12.

Researchers have successfully exploited CVE-2025-38001, a previously unknown Use-After-Free (UAF) vulnerability in the Linux Hierarchical Fair Service Curve (HFSC) queuing discipline. This exploit allowed them to compromise all Google kernelCTF instances, including Long-Term Support (LTS), Container-Optimised OS (COS), and mitigation environments, as well as fully patched Debian 12 systems. Their efforts resulted in an estimated $82,000 in cumulative bounties, highlighting the critical need for thorough code auditing beyond automated fuzzing. Key takeaways from this research include the identification of a packet duplication bug in the NETEM queuing discipline, which, when combined with Token Bucket Filter (TBF) rate-limiting, transformed an infinite Red-Black Tree (RBTree) loop into a reliable UAF. Additionally, an innovative RBTree pointer-copy technique led to a page-UAF and arbitrary write capabilities.

According to researchers D3vil and FizzBuzz101, the exploit stemmed from a logic flaw in the hfsc_enqueue() function, which permitted a class to be inserted twice into the HFSC “eligible” RBTree when used alongside the NETEM qdisc’s packet duplication feature. The NETEM duplicate option triggered a reentrant call to hfsc_enqueue(), causing the init_ed() function to execute twice and create a cyclic RBTree. While this typically resulted in an infinite loop within hfsc_dequeue(), the researchers cleverly stacked a TBF qdisc at the root with an extremely low rate to prevent dequeue operations long enough to free the class and trigger a UAF upon inserting a new class. Their exploitation of the UAF involved a sophisticated pointer-copy primitive based on controlled RBTree transformations, ultimately leading to root access on both Debian 12 and various kernelCTF environments. The vulnerability has since been patched in commit ac9fe7dd8e730a103ae4481147395cc73492d786, and CVE-2025-38001 has been officially assigned.