New Linux Kernel Vulnerability Directly Exploited from Chrome Renderer Sandbox Via Rare Linux Socket Feature
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical vulnerability in the Linux kernel, identified as CVE-2025-38236<\/a>, has exposed a flaw that could allow attackers to escalate privileges from within the Chrome renderer sandbox on Linux systems.\u00a0<\/p>\n Google Project Zero researcher Jann Horn discovered the bug affects Linux kernel versions 6.9 and above, stemming from the obscure MSG_OOB (out-of-band) feature in UNIX domain sockets.\u00a0<\/p>\n This finding underscores the risks posed by esoteric kernel features and highlights gaps in browser sandbox security.<\/p>\n The vulnerability, identified during a code review in early June, originates from a flaw in the MSG_OOB implementation, introduced in Linux 5.15 in 2021.\u00a0<\/p>\n Though rarely used outside specific Oracle products, MSG_OOB was enabled by default in kernels supporting UNIX sockets and was accessible within Chrome\u2019s renderer sandbox due to unfiltered syscall flags.\u00a0<\/p>\n The bug enables a use-after-free (UAF) condition, which Horn demonstrated can be triggered with a simple sequence of socket operations, potentially allowing attackers to manipulate kernel memory and gain elevated privileges.\u00a0<\/p>\n The Linux kernel has since been patched, and Chrome has blocked MSG_OOB<\/a> messages in its renderer sandbox to mitigate the issue.<\/p>\n Horn\u2019s exploit, detailed<\/a> on Google Project Zero\u2019s bug tracker, shows how an attacker could escalate from native code execution in the Chrome renderer sandbox to kernel-level control on a Debian Trixie system running x86-64 architecture.\u00a0<\/p>\n By exploiting a UAF, the attack leverages a read primitive to copy arbitrary kernel memory to user space, navigating usercopy hardening restrictions.\u00a0<\/p>\n Techniques like reallocating freed memory as pipe pages or kernel stacks, combined with page table manipulation and mprotect() for delay injection, enable precise memory corruption.\u00a0<\/p>\n Notably, the exploit uses Debian\u2019s\u00a0CONFIG_RANDOMIZE_KSTACK_OFFSET<\/em> feature, turning a security mitigation into an advantage for aligning memory targets.<\/p>\n The vulnerability was initially spotted during Horn\u2019s review of a new kernel feature, with a related issue later caught by Google\u2019s syzkaller fuzzing tool in August 2024.\u00a0<\/p>\n The first bug required six syscalls to trigger, while a second, more complex issue found by Horn needed eight, revealing the difficulty fuzzers face in exploring complex kernel data structures like socket buffers (SKBs). <\/p>\n Horn suggests that fuzzers could improve by targeting specific kernel subsystems to better uncover such vulnerabilities.<\/p>\n The exploit also exposes the extensive kernel interfaces available in Chrome\u2019s Linux renderer sandbox, including anonymous VMAs, UNIX sockets, pipes, and syscalls like sendmsg() and mprotect().\u00a0<\/p>\n Many of these interfaces are unnecessary for renderer functionality, unnecessarily expanding the attack surface.\u00a0<\/p>\n Past Chrome vulnerabilities<\/a> involving futex(), memfd_create(), and pipe2() further highlight how obscure kernel features can introduce risks when exposed in sandboxes.<\/p>\n \u00a0Horn\u2019s findings also question the effectiveness of probabilistic mitigations, like per-syscall stack randomization, against attackers with arbitrary read primitives, as these can be bypassed by repeatedly checking randomization outcomes.<\/p>\n The discovery calls for stricter sandbox restrictions and a reevaluation of kernel features exposed to unprivileged processes.\u00a0<\/p>\n Horn plans a deeper analysis of Chrome\u2019s Linux renderer sandbox in a future report. Linux users are urged to apply the latest kernel patches, and developers should scrutinize esoteric kernel features in core system interfaces.<\/p>\n Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, and\u00a0X<\/a>\u00a0to Get Instant Updates!<\/strong><\/p>\n The post New Linux Kernel Vulnerability Directly Exploited from Chrome Renderer Sandbox Via Rare Linux Socket Feature<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nUncovering the MSG_OOB Vulnerability<\/strong><\/h2>\n
Challenges in Fuzzing and Sandbox Design<\/strong><\/h2>\n