Researchers Discover New Privilege Escalation Vulnerability ‘StackRot’ in the Linux Kernel

A newly discovered security vulnerability in the Linux kernel, referred to as StackRot (CVE-2023-3269, CVSS score: 7.8), presents a potential avenue for privilege escalation on affected systems. This vulnerability impacts Linux kernel versions 6.1 through 6.4 and has no known instances of exploitation in real-world scenarios thus far.

The StackRot vulnerability is characterized by its presence in the memory management subsystem of the Linux kernel, making it applicable to nearly all kernel configurations. According to security researcher Ruihan Li from Peking University, the flaw requires minimal capability to exploit, heightening the concern for system administrators.

While the vulnerability exists, the practical exploitation is complex due to a mechanism involving the release of maple nodes through Read-Copy-Update (RCU) callbacks, which delays actual memory deallocation until after the RCU grace period. This complexity adds a layer of difficulty for potential attackers.

The Linux kernel team addressed this vulnerability following responsible disclosure on June 15, 2023. A patch was implemented in stable releases 6.1.37, 6.3.11, and 6.4.1 by July 1, 2023, coordinated by Linux founder Linus Torvalds.

In addition, a proof-of-concept exploit is anticipated to be made public by the end of the month, which may further illuminate the technical aspects of this vulnerability.

At its core, the StackRot flaw lies within a data structure known as the maple tree. Introduced in Linux kernel 6.1 to replace the red-black tree (rbtree), this structure manages virtual memory areas (VMAs), which represent contiguous ranges of virtual addresses used by files or during program execution.

The vulnerability has been designated as a use-after-free bug. A local user could potentially exploit this vulnerability to compromise the kernel and elevate privileges by taking advantage of improper node replacement in the maple tree structure, which fails to properly secure the MM write lock.

Linus Torvalds expressed intent to streamline the stack expansion code, suggesting a reorganization of its implementation due to its current fragmentation across different files. This change is intended to facilitate easier management as enhancements continue to emerge from the initial implementation of the maple tree VMA management system.