New Linux Kernel Vulnerability Can Be Exploited Directly from Chrome Renderer Sandbox

New Linux Kernel Vulnerability Can Be Exploited Directly from Chrome Renderer SandboxNew Linux Kernel Vulnerability Can Be Exploited Directly from Chrome Renderer SandboxOn August 9, 2025, a high-risk vulnerability numbered CVE-2025-38236 was discovered in the Linux kernel, allowing attackers to escalate privileges from the Chrome renderer sandbox on Linux systems.Google Project Zero researcher Jann Horn found that this vulnerability affects Linux kernel versions 6.9 and above, stemming from the little-known MSG_OOB (Out-of-Band Data) feature in UNIX domain sockets. This discovery reveals the security risks posed by obscure kernel features and exposes flaws in the browser sandbox protection mechanisms.Part01

Technical Analysis of the MSG_OOB Vulnerability

The vulnerability was first identified during a code audit in early June, with its roots tracing back to a defect in the MSG_OOB implementation introduced in Linux version 5.15 in 2021. Although this feature is rarely used outside of specific Oracle products, MSG_OOB is enabled by default in kernels that support UNIX sockets, and due to unfiltered system call flags, the Chrome renderer sandbox can access this feature.

This vulnerability leads to a use-after-free (UAF) issue.Google Project Zero researchersconfirmed that the vulnerability can be triggered through a simple sequence of socket operations, allowing attackers to manipulate kernel memory to gain higher privileges. A patch has been released for the Linux kernel, and the Chrome browser has blocked MSG_OOB messages in the renderer sandbox to mitigate the risk.

According to detailed records from the Google Project Zero vulnerability tracking system,the researchersconstructed an exploit chain demonstrating how an attacker could escalate from native code execution within the Chrome renderer sandbox to kernel-level control on an x86-64 architecture Debian Trixie system. By exploiting the UAF vulnerability, the attacker establishes read primitives to copy arbitrary kernel memory to user space, thereby bypassing user copy hardening restrictions.

This technique achieves precise memory corruption by reallocating freed memory as pipe pages or kernel stacks, combined with page table operations and delayed injection of mprotect(). Notably, the attack also leverages Debian’s CONFIG_RANDOMIZE_KSTACK_OFFSET security feature, turning the stack randomization mechanism, which should serve as a protective measure, into a tool for memory target alignment.

Part02

Challenges in Fuzz Testing and Sandbox Design

Google Project Zero researchers initially discovered the vulnerability while reviewing new kernel features, and subsequently, Google’s syzkaller fuzz testing tool captured related issues in August 2024. The first vulnerability could be triggered with just six system calls, whilethe researchersfound that the second, more complex vulnerability required eight system calls, reflecting the difficulties fuzz testing tools face when exploring complex kernel data structures like socket buffers (SKB).Google Project Zero researcherssuggest that fuzz testing tools could be optimized for specific kernel subsystems to more effectively discover such vulnerabilities.

The exploit process also exposed a wide range of kernel interfaces accessible within the Chrome Linux renderer sandbox, including anonymous virtual memory areas (VMA), UNIX sockets, pipes, and system calls like sendmsg() and mprotect(). Most of these interfaces are unrelated to renderer functionality, unnecessarily increasing the attack surface. Previous Chrome vulnerabilities involving futex(), memfd_create(), and pipe2() have similarly demonstrated that obscure kernel features exposed in the sandbox can pose security risks.

Google Project Zero researchers also questioned the effectiveness of probabilistic protective measures like randomization—when attackers possess arbitrary read primitives, they can bypass protections such as “per-system-call stack randomization” by repeatedly checking randomization results. This finding calls for stricter sandbox restrictions and a reassessment of kernel features accessible to unprivileged processes.Google Project Zero will provide a deeper analysis of the Chrome Linux renderer sandbox mechanism in subsequent reports. Linux users are advised to promptly install the latest kernel patches, while developers should rigorously review obscure kernel features in core system interfaces.

References:

New Linux Kernel Vulnerability Directly Exploited from Chrome Renderer Sandbox Via Rare Linux Socket Feature

https://cybersecuritynews.com/new-linux-kernel-vulnerability/Recommended ReadingNew Linux Kernel Vulnerability Can Be Exploited Directly from Chrome Renderer Sandbox

Radio DiscussionNew Linux Kernel Vulnerability Can Be Exploited Directly from Chrome Renderer Sandbox

Leave a Comment