CVE-2025-13350
Received Received - Intake
Use-After-Free in Ubuntu Linux 6.8 AF_UNIX Socket GC Enables LPE

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Canonical Ltd.

Description
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13350
EUVD
EUVD-2025-208322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ubuntu linux to 6.8.0-84.84 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13350 is a use-after-free (UAF) vulnerability in the AF_UNIX socket garbage collection subsystem of Ubuntu Noble 6.8 Linux kernels.

The issue arises because the legacy garbage collector expects out-of-band (OOB) socket buffers (SKBs) to have two references, but after an upstream kernel commit was backported, these SKBs only have one reference.

This mismatch causes the garbage collector to prematurely free the SKB while it is still reachable, leading to a use-after-free condition when the system later tries to access the freed memory.

This vulnerability can be triggered when AF_UNIX socket pairs are created, OOB data is sent, sockets become orphaned, and garbage collection runs.

Impact Analysis

This vulnerability allows a reliable local privilege escalation (LPE) on affected Ubuntu Noble 6.8 kernels.

Because the use-after-free condition can cause kernel crashes or allow an attacker to execute arbitrary code with elevated privileges, it poses a significant security risk to local users.

Exploitation requires local access to the system and the ability to create and manipulate AF_UNIX sockets with out-of-band data.

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as a use-after-free (UAF) condition in the AF_UNIX socket garbage collection subsystem when orphaned MSG_OOB sockets are garbage collected. Detection involves monitoring for kernel crashes or memory corruption related to AF_UNIX sockets with out-of-band (OOB) data.

Kernel Address Sanitizer (KASAN) can be used to detect the use-after-free condition caused by this vulnerability, as it triggers immediate kernel crashes on unpatched kernels.

To detect the vulnerability, you can monitor kernel logs for crashes or use KASAN-enabled kernels to catch UAF errors during stress testing involving AF_UNIX socket pairs with OOB data.

While no specific commands are provided in the resources, a general approach includes:

  • Enable KASAN in your kernel configuration and review dmesg or kernel logs for UAF reports.
  • Use socket testing tools or custom scripts to create AF_UNIX socket pairs, send OOB data, orphan the sockets, and trigger garbage collection.
  • Monitor system stability and kernel logs during these tests for crashes or memory errors.
Mitigation Strategies

The immediate mitigation step is to update the Ubuntu Linux 6.8 kernel to a version that includes the fix for this vulnerability.

The fix was released in the linux package version 6.8.0-83.83 for Ubuntu Noble 6.8, which modifies the AF_UNIX socket garbage collector to avoid premature freeing of out-of-band socket buffers.

Until the update is applied, avoid running untrusted local code that can create and manipulate AF_UNIX sockets with OOB data, as this can trigger the use-after-free condition.

Additionally, consider enabling kernel hardening features such as KASAN and monitoring for suspicious kernel behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart