Exploiting the Linux kernel via packet sockets

CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out-of-bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.

In this guest blog, Zhenpeng Lin details the three-month evaluation he performed of AUTOSLAB during a research internship with Open Source Security, Inc. AUTOSLAB is a compiler-plugin-enhanced feature of grsecurity introduced in 2020 that provides some interesting security and debug properties. The evaluation covers the completeness of AUTOSLAB's approach, how exploitation is changed, and how it affects performance.

This post discloses the exploit of CVE-2022-27666, which achieves local privilege escalation on the latest Ubuntu Desktop 21.10.

CVE-2025-38001 is a Use-After-Free vulnerability in the Linux network packet scheduler, specifically in the HFSC queuing discipline. When the HFSC qdisc is utilized with NETEM and NETEM packet duplication is enabled, using HFSC_RSC it is possible to cause a double class insertion in the HFSC eligible tree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue() due to an RBTree cycle. However, by adding TBF as root qdisc, it is possible to prevent packets from being dequeued, bypass the infinite loop, free the class, and trigger a Use-After-Free.

syzkaller is an unsupervised coverage-guided kernel fuzzer - google/syzkaller

By a security engineer focusing on fuzzers, exploits, and mitigations for Linux and Android kernels.

Follow an imaginary cyber attacker as she tries to escape a container using kernel exploitation -- with and without root access.

Vulnerability Research on Low-Level Systems

Using syzkaller to fuzz the Linux kernel network stack externally