CVE-2025-13350
Use-After-Free in Ubuntu Linux 6.8 AF_UNIX Socket GC Enables LPE
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubuntu | linux | to 6.8.0-84.84 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13350 is a use-after-free (UAF) vulnerability in the AF_UNIX socket garbage collection subsystem of Ubuntu Noble 6.8 Linux kernels.
The issue arises because the legacy garbage collector expects out-of-band (OOB) socket buffers (SKBs) to have two references, but after an upstream kernel commit was backported, these SKBs only have one reference.
This mismatch causes the garbage collector to prematurely free the SKB while it is still reachable, leading to a use-after-free condition when the system later tries to access the freed memory.
This vulnerability can be triggered when AF_UNIX socket pairs are created, OOB data is sent, sockets become orphaned, and garbage collection runs.
How can this vulnerability impact me? :
This vulnerability allows a reliable local privilege escalation (LPE) on affected Ubuntu Noble 6.8 kernels.
Because the use-after-free condition can cause kernel crashes or allow an attacker to execute arbitrary code with elevated privileges, it poses a significant security risk to local users.
Exploitation requires local access to the system and the ability to create and manipulate AF_UNIX sockets with out-of-band data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a use-after-free (UAF) condition in the AF_UNIX socket garbage collection subsystem when orphaned MSG_OOB sockets are garbage collected. Detection involves monitoring for kernel crashes or memory corruption related to AF_UNIX sockets with out-of-band (OOB) data.
Kernel Address Sanitizer (KASAN) can be used to detect the use-after-free condition caused by this vulnerability, as it triggers immediate kernel crashes on unpatched kernels.
To detect the vulnerability, you can monitor kernel logs for crashes or use KASAN-enabled kernels to catch UAF errors during stress testing involving AF_UNIX socket pairs with OOB data.
While no specific commands are provided in the resources, a general approach includes:
- Enable KASAN in your kernel configuration and review dmesg or kernel logs for UAF reports.
- Use socket testing tools or custom scripts to create AF_UNIX socket pairs, send OOB data, orphan the sockets, and trigger garbage collection.
- Monitor system stability and kernel logs during these tests for crashes or memory errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Ubuntu Linux 6.8 kernel to a version that includes the fix for this vulnerability.
The fix was released in the linux package version 6.8.0-83.83 for Ubuntu Noble 6.8, which modifies the AF_UNIX socket garbage collector to avoid premature freeing of out-of-band socket buffers.
Until the update is applied, avoid running untrusted local code that can create and manipulate AF_UNIX sockets with OOB data, as this can trigger the use-after-free condition.
Additionally, consider enabling kernel hardening features such as KASAN and monitoring for suspicious kernel behavior.