From Chrome Renderer Code Execution to Linux Kernel RCE via ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2025/08/from-chrome-renderer-code-exec-to-kernel.html
• Blog Title: From Chrome Renderer Code Execution to Linux Kernel RCE via AF_UNIX MSG_OOB (CVE‑2025‑38236)
• Suggested Section: 🎯 Binary Exploitation / Linux kernel exploitation (new subpage for AF_UNIX MSG_OOB UAF & SKB-based arbitrary read/write primitives)

🎯 Content Summary

Vulnerability overview (CVE-2025-38236)
The blog analyzes CVE-2025-38236, a use-after-free (UAF) in Linux ≥ 6.9 affecting MSG_OOB support for stream-oriented AF_UNIX sockets. Although Chrome does not intentionally use MSG_OOB, the Linux Desktop renderer sandbox allows stream UNIX sockets and did not filter the flags parameter to send()/recv(), so MSG_OOB was reachable from native re...

🔧 Technical Details

AF_UNIX MSG_OOB queue manipulation to produce a UAF
The core trick is abusing the AF_UNIX MSG_OOB design and the manage_oob() logic to create a dangling u->oob_skb pointer. By sending two OOB bytes and reading them with recv(..., MSG_OOB), the attacker leaves two SKBs with unix_skb_len() == 0 in sk_receive_queue. Sending a third OOB byte creates an SKB3 with unix_skb_len() == 1 and sets u->oob_skb = SKB3. A normal recv() then passes through manage_oob(), which incorrectly assumes the next SKB after a zero‑remaining SKB has non‑zero length and returns a second zero‑length SKB to unix_stream_read_generic(). The subsequent while (skip >= unix_skb_len()) loop skips both zero‑length SKBs without re‑invoking manage_oob() on SKB3, so SKB3 is later freed while still referenced in u->oob...

🤖 Agent Actions

Summary:

• Added a dedicated Linux kernel exploitation page detailing the AF_UNIX MSG_OOB double-zero-SKB UAF, the resulting SKB-based arbitrary read and constrained +4 GiB write primitives, allocator manipulation steps (page-table spray, pipe buffer reuse, stack recycling), timing tricks with self-looping frag lists, mprotect-based copy stalls, and the final PTE overwrite stage. Included mitigations plus references to the Project Zero post and kernel/Chromium fixes.
• Updated the Chrome exploitation overview to highlight this renderer-to-kernel escape technique and linked directly to the newly added kernel exploitation page.

Files Modified:

• src/binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md
• src/binary-exploitation/chrome-exploiting.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2025/08/from-chrome-renderer-code-exec-to-kernel.html

Content Categories: Based on the analysis, this content was categorized under "🎯 Binary Exploitation / Linux kernel exploitation (new subpage for AF_UNIX MSG_OOB UAF & SKB-based arbitrary read/write primitives)".

Repository Maintenance:

• MD Files Formatting: 925 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge