For those running CentOS Stream 9, this is a Major Vulnerability.
New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root
Author image Cyber Press ®
See:
https://www.linkedin.com/pulse/new-centos-9-vulnerability-allows-attackers-escalate-privileges-a8xnc/A newly identified privilege escalation flaw in CentOS Stream 9 has triggered significant security concerns within the Linux community.
The vulnerability, originating from a Use-After-Free (UAF) condition in the Linux kernel’s networking subsystem, allows a local user to escalate privileges to root.
The issue was spotlighted at the TyphoonPWN 2025 hacking competition, where it won first place in the Linux category.
Adding urgency, a Proof-of-Concept (PoC) exploit has been publicly released, enabling attackers to achieve full system compromise on vulnerable installations reliably.
cstatic s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sk_buff **to_free)
{
// ...
if (q->buffer_used > q->buffer_limit) { // [1] Check buffer limit
u32 dropped = 0;
while (q->buffer_used > q->buffer_limit) {
dropped++;
cake_drop(sch, to_free); // [2] Packet is DROPPED here
}
b->drop_overlimit += dropped;
}
return NET_XMIT_SUCCESS; // [!] Returns SUCCESS anyway
} Root Cause in CAKE Scheduler
The flaw exists in the sch_cake (Common Applications Kept Enhanced) packet scheduler, a component responsible for managing network traffic shaping in the kernel.
The issue specifically lies in the cake_enqueue() function, which mishandles return codes during packet drops.
Under buffer pressure, CAKE discards packets using cake_drop(), yet incorrectly returns NET_XMIT_SUCCESS, indicating to upper layers that the packet was successfully queued.
Topic: New CentOS 9 Vulnerability Allows Attackers to Escalate Privileges to Root (Read 22 times)
