CVE-2025-13350 Overview
CVE-2025-13350 is a use-after-free (UAF) vulnerability in Ubuntu Linux 6.8 (Noble Numbat) kernel that enables reliable local privilege escalation (LPE). The vulnerability arises from a reference counting mismatch in the AF_UNIX socket garbage collector when handling out-of-band (OOB) socket buffers. Ubuntu Linux 6.8 retains the legacy AF_UNIX garbage collector while also incorporating an upstream backport that modifies OOB SKB reference handling, creating a dangerous inconsistency that allows attackers to exploit freed memory.
Critical Impact
This vulnerability enables local attackers to achieve privilege escalation through a reliable use-after-free condition in the kernel's AF_UNIX socket garbage collection mechanism.
Affected Products
- Ubuntu Linux 6.8 (Noble Numbat) kernel versions 6.8.0-56.58 through 6.8.0-84.84
Discovery Timeline
- 2026-03-05 - CVE CVE-2025-13350 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-13350
Vulnerability Analysis
The vulnerability stems from an incompatibility between Ubuntu's legacy AF_UNIX garbage collector and the backported upstream commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb"). In mainline Linux kernels and Ubuntu builds with the new garbage collection infrastructure from commit 4090fa373f0e, this issue does not manifest because the legacy collector path is no longer executed.
When orphaned MSG_OOB sockets enter the unix_gc() function in affected Ubuntu kernels, the garbage collector incorrectly assumes OOB SKBs (socket buffers) hold two references—one from the queue and one additional reference. However, following the backported commit, OOB SKBs only retain the queue reference. This reference count mismatch causes kfree_skb() to free the buffer prematurely while it remains reachable in the socket queue.
Subsequent queue traversals then dereference the freed memory, creating a classic use-after-free condition that can be reliably exploited for local privilege escalation. The attack requires local access and the ability to manipulate AF_UNIX sockets with out-of-band data.
Root Cause
The root cause is a reference counting error introduced by the partial backport of upstream changes. The upstream commit 8594d9b85c07 removed the additional skb_get() call for OOB SKBs, reducing their reference count from two to one. However, Ubuntu's retention of the legacy garbage collector—which was designed to work with the old two-reference model—means unix_gc() still calls kfree_skb() expecting to decrement two references. With only one reference present, this results in immediate memory deallocation while the SKB pointer remains in the socket queue, creating the use-after-free condition.
Attack Vector
This is a local attack vector requiring authenticated access to the system. An attacker with local user privileges can exploit this vulnerability by:
- Creating AF_UNIX socket pairs and sending out-of-band (MSG_OOB) data
- Manipulating socket states to trigger garbage collection on orphaned OOB sockets
- Racing the garbage collector to access the freed SKB memory
- Leveraging the use-after-free to achieve kernel memory corruption and privilege escalation
The exploitation is described as "reliable" in the vulnerability disclosure, indicating that race conditions can be won consistently, making this a practical privilege escalation vector for local attackers.
Detection Methods for CVE-2025-13350
Indicators of Compromise
- Unusual kernel crashes or panics related to unix_gc() or AF_UNIX socket handling
- Suspicious local processes manipulating large numbers of AF_UNIX socket pairs with OOB data
- Kernel log entries indicating memory corruption or invalid memory references in socket subsystems
- Evidence of privilege escalation from unprivileged user accounts
Detection Strategies
- Monitor kernel logs for oops or panics involving unix_gc, kfree_skb, or AF_UNIX related functions
- Implement process behavioral monitoring to detect unusual AF_UNIX socket creation patterns
- Deploy kernel-level monitoring for anomalous socket operations involving MSG_OOB flags
- Utilize SentinelOne's behavioral AI to detect post-exploitation privilege escalation activities
Monitoring Recommendations
- Enable kernel crash dump collection to capture forensic evidence of exploitation attempts
- Monitor for unexpected SUID binary execution or capability escalation from standard user processes
- Track AF_UNIX socket operations in high-security environments using eBPF-based monitoring
- Configure alerts for processes that exhibit rapid socket creation and destruction patterns typical of UAF exploitation
How to Mitigate CVE-2025-13350
Immediate Actions Required
- Update Ubuntu Linux 6.8 kernel to version 6.8.0-84.84 or later
- Restrict local system access to trusted users until patching is complete
- Monitor systems for signs of exploitation using the detection strategies above
- Consider implementing additional access controls on multi-user systems
Patch Information
Ubuntu has released patches to address this vulnerability. The fix is available in kernel version 6.8.0-84.84 and later. The patch can be tracked through the Launchpad Bug Report and the corresponding kernel commit. Additional technical details are available on the OSS Security mailing list.
Mainline Linux kernels that have adopted the new garbage collection infrastructure from commit 4090fa373f0e are not affected by this vulnerability.
Workarounds
- Limit local access to affected systems to reduce the attack surface
- Consider restricting AF_UNIX socket creation capabilities using security modules like AppArmor or SELinux where feasible
- Implement enhanced monitoring to detect exploitation attempts until patches can be applied
- For critical systems, evaluate temporarily migrating workloads to unaffected kernel versions
# Check current kernel version
uname -r
# Update to patched kernel on Ubuntu
sudo apt update
sudo apt install linux-image-6.8.0-84-generic
# Reboot to apply the new kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
