Kernel-hack-drill and a New Approach to Exploiting CVE-2024-50264 in the Linux Kernel Author: Alexander Popov Date: September 2, 2025 Pwnie Award 2025: Best Privilege Escalation --- Background & Bug Collision Story CVE-2024-50264 is a challenging Linux kernel privilege escalation vulnerability involving a race condition in AFVSOCK sockets causing a use-after-free (UAF). Initially discovered by the author in 2021 (CVE-2021-26708), another crash found in 2024 was shelved due to fragility. Later discovered the bug was disclosed publicly by Hyunwoo Kim and Wongi Lee and was used in kernelCTF. Despite the complexity and existing exploit attempts, the author pursued a simpler proof-of-concept (PoC) exploit on Ubuntu Server 24.04 (kernel v6.11). CVE-2024-50264 Analysis Introduced in Linux 4.8 (2016). Race happens between connect() syscall and POSIX signals causing a freed virtiovsocksock object (80 bytes) to be used after free. UAF write is triggered inside a kernel worker (kworker). Exploitation is difficult due to: Unstable race reproduction Immediate null-pointer dereferences (null-ptr-derefs) causing kernel crashes Complex kernel slab cache and locking mechanics Vulnerability exploited by interrupting connect() with signals. Reproducing the Bug with "Immortal Signal" (Signal 33) Normal signals like SIGKILL terminate processes, breaking exploit attempts. Author discovered that signal 33, used internally by NPTL, can interrupt connect() without killing the process. By setting a POSIX timer (timercreate) to fire signal 33 at a precise time, the exploit gains reliable interruption triggering the race. Memory Corruption Details During interrupted connect(), the socket state drops from TCPESTABLISHED to TCPCLOSING. The socket's transport switching frees the virtiovsocksock structure. A kernel worker scheduled afterward performs operations on this freed object, triggering UAF writes. Only two 4-byte fields (peerbufalloc and peerfwdcnt) are overwritten in the freed structure (no pointer deref). The UAF write is fragile; if txlock is non-zero, spinlock operations cause kernel hangs. Limitations of CVE-2024-50264 Exploitation Vulnerable client and server vsock objects are allocated together, complicating cross-cache attacks. Race reproduction is very unstable. UAF write occurs too soon (~μs) after free for normal cross-cache attacks. Immediate null-ptr-derefs in kernel worker after UAF write. Further null-ptr-derefs after VSOCKCLOSETIMEOUT (8s). Spinlock hang if txlock is non-zero. Exploit Strategy: Simple vs Complex The existing published strategy by @v4bel/@qwerty uses: BPF JIT spray, SLUBStick slab grooming, Dirty Pagetable technique (modifying page table entries), Complex privilege escalation payloads. The author sought a simpler path by redirecting UAF write into target kernel objects for useful primitives. Searching for Victim Objects Tried struct cred (184 bytes) for privilege escalation but: Partial overlap caused kernel hang or unusable pointer corruption. Switched to msgmsg (96 bytes) from System V message queues for cross-cache reallocation. Used novel technique to corrupt msgmsg.mlist and related fields while postponing queue insertion to avoid kernel hangs. Novel msgmsg Spray Technique Fill message queue with "clogging" messages to nearly full. Spray target msgmsg objects via parallel msgsnd() syscalls, which block due to lack of space. Perform UAF overwrite to corrupt fields in the blocked msgmsg. Release clogging messages with msgrcv(), causing kernel to fix corrupted fields automatically. Results in controlled out-of-bounds kernel memory reads via enlarged message size. Cross-Cache Attack Development with kernel-hack-drill Used own open-source kernel-hack-drill testing