Linux Kernel Privilege Escalation Vulnerability via Use-After-Free in Flow Table Management

A use-after-free vulnerability has been identified in the Linux kernel's flow table management within the 'act_ct' module of the traffic control subsystem. This issue arises because the function 'tcf_ct_flow_table_get()' improperly manages reference counts while accessing flow table objects. Specifically, it releases a Read-Copy Update (RCU) lock before ensuring that a reference to the flow table object is safely incremented. As a result, the flow table object can be freed while still in use, leading to a use-after-free condition. Exploitation of this vulnerability can result in unauthorized privilege escalation.

Impact

Exploitation of this vulnerability can lead to unauthorized privilege escalation.

Reproduction

The vulnerability can be reproduced by initializing the 'act_ct' module, which triggers the 'tcf_ct_flow_table_get()' function. This function will look up a flow table in a way that creates a race condition. By adding a delay after the flow table lookup, the 'tcf_ct_flow_table_cleanup_work()' function can be scheduled to run before the reference count is properly managed, causing the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.