OpenWrt ltq-ptm Driver Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the OpenWrt ltq-ptm driver, affecting versions prior to 24.10.4. This vulnerability allows local users to read and write arbitrary kernel memory through the driver's ioctl interface. It specifically impacts the lantiq target on xrx200, danube, and amazon SoCs, with DSL lines using PTM mode. The issue does not affect the VRX518 DSL driver or ATM mode, which is commonly used for ADSL lines. OpenWrt typically operates as a single-user system, but some services are sandboxed. Exploiting this vulnerability could enable an attacker to escape a ujail sandbox or other containment.

Impact

Successful exploitation allows local users to read and write arbitrary kernel memory, potentially leading to unauthorized access or modification of kernel data. This vulnerability could also be used to escape from a sandboxed environment, such as a ujail sandbox, and gain elevated privileges.

Reproduction

The vulnerability can be reproduced by a local user with access to a device running an affected version of OpenWrt on a compatible lantiq SoC. The DSL line must be in PTM mode. Once these conditions are met, the user can use the ioctl commands of the ltq-ptm driver to read and write arbitrary kernel memory.

Remediation

Users can upgrade to OpenWrt version 24.10.4 or later, including snapshot builds since October 15, 2025. Instructions for upgrading can be found on the OpenWrt website.