CentOS 9 Security Flaw Enables Privilege Escalation – PoC Released

The newly disclosed use‑after‑free flaw resides in the `sch_cake` queuing discipline, a component of the Linux kernel’s traffic‑control subsystem that many data‑center operators rely on for bandwidth shaping. By incorrectly reporting successful packet transmission even when packets are dropped, the scheduler leaves a dangling pointer that can be reclaimed by malicious code. This subtle logic error escaped detection during standard testing and was only highlighted when it captured first place in the TyphoonPWN 2025 Linux category, underscoring the difficulty of spotting kernel‑level bugs in mature distributions such as CentOS 9.

The proof‑of‑concept released by SSD Disclosure demonstrates a full exploit chain that combines a KASLR bypass, heap spraying via `sendmsg`, and a return‑oriented programming payload to overwrite `modprobe_path`. By planting fake Qdisc objects on the kernel heap, the attacker forces the dangling pointer to reference attacker‑controlled data, enabling arbitrary code execution as root. Such a technique mirrors earlier Linux privilege‑escalation exploits, but the reliance on the `sch_cake` scheduler makes it especially relevant for environments that use traffic‑shaping policies, expanding the attack surface of otherwise hardened servers.

CentOS 9 users currently face a window of exposure because the vendor has not issued a fix despite being notified for more than three months. In the interim, best‑practice mitigations include restricting execution of the `tc` command, disabling loading of the `sch_cake` module where feasible, and closely monitoring kernel update channels for a forthcoming patch. The episode highlights the broader challenge of maintaining timely security updates in enterprise Linux distributions and reinforces the need for layered defenses, such as mandatory access controls and intrusion‑detection systems, to limit the impact of kernel‑level vulnerabilities.