Ubuntu Linux Privilege Escalation Vulnerability in AF_UNIX Garbage Collection

A use-after-free vulnerability has been identified in the Ubuntu Linux 6.8 GA release, specifically in the kernel's AF_UNIX socket garbage collection process. This issue arises when orphaned out-of-band (OOB) messages are handled by the legacy garbage collector, which incorrectly assumes that OOB socket buffers have a reference count of two. As a result, the garbage collector prematurely frees these buffers while they are still in use, leading to a local privilege escalation vulnerability. This issue affects Ubuntu Linux versions 6.8.0-56.58 prior to 6.8.0-84.84.

Impact

Exploitation of this vulnerability causes a use-after-free condition, allowing for local privilege escalation.

Reproduction

The vulnerability can be reproduced by creating pairs of AF_UNIX sockets, sending out-of-band data, orphaning the sockets, and then triggering garbage collection. On unpatched kernels, this sequence causes an immediate use-after-free condition, which can be detected using the Kernel Address Sanitizer (KASAN).

Remediation

Users can upgrade to Ubuntu Linux 6.8.0-84.84 or later to address this vulnerability.