“`html
A severe use-after-free (UAF) vulnerability within the Linux kernel’s sch_cake queuing discipline (Qdisc) impacts CentOS 9, enabling local users to acquire root access.
On February 5, 2026, security firm SSD Secure Disclosure released information outlining that this flaw secured first place in the Linux category at TyphoonPWN 2025.
The problem occurs in the cake_enqueue function of the CAKE Qdisc, which returns NET_XMIT_SUCCESS even after dropping packets due to buffer limitations.
This misguides parent classful Qdiscs such as HFSC, resulting in improper state management and a UAF during packet dequeuing. Malicious actors can leverage this for arbitrary code execution within the kernel context, attaining local privilege escalation (LPE).
When buffer_used surpasses buffer_limit, cake_enqueue drops packets through cake_drop but signals success. In a stacked configuration (HFSC layered over CAKE), HFSC enqueues without error verification, invoking init_ed to add the class to its active list.
Eliminating the HFSC class removes the child CAKE Qdisc via qdisc_purge_queue, but as CAKE is empty, qlen_notify bypasses removal from HFSC’s active list.
This results in a dangling pointer. During hfsc_dequeue, eltree_get_mindl selects the freed class, and qdisc_dequeue_peeked triggers UAF on cl->qdisc. The exploit capitalizes on this for RIP control via a injected fake Qdisc featuring ROP gadgets.
Crucial code defect in cake_enqueue:
textif (q->buffer_used > q->buffer_limit) {
// drops packets
}
return NET_XMIT_SUCCESS; // Misleads parent
Exploitation Details
The PoC circumvents KASLR through prefetch side-channel timing assaults, dispersing fake Qdiscs via sendmsg with tailored control messages; refer to the advisory.
It establishes HFSC (0x10000) with classes, adds a CAKE child, induces a drop via loopback send, removes the class to induce UAF, then sprays ROP chain for modprobe_path override. Ultimately, it triggers modprobe for root access through an unhandled file type.
The CVSS score remains unassigned, but the impact is significant: a local attacker can achieve root access on CentOS 9 systems utilizing CAKE.
Red Hat (CentOS upstream) was informed over 90 days prior; response: “In progress, no release available yet.” Similar past CAKE vulnerabilities (e.g., CVE-2022-50452 null deref) were rectified through kernel updates.
Mitigation Steps
- Refrain from using CAKE Qdisc:
tc qdisc del dev lo rootor switch to alternatives like HTB. - Supervise tc commands and suspicious netlink activity.
- Update the kernel once patched; disable unnecessary Qdisc modules.
- Implement namespaces/user isolation for high-risk workloads.
This LPE illustrates kernel traffic control vulnerabilities; administrators should promptly audit Qdisc application.
“`