Security researchers have uncovered a critical vulnerability within the Linux kernel’s io_uring subsystem, posing a severe threat by granting attackers full root access to compromised systems. Tracked as CVE-2024-0582, this flaw was found to be particularly exploitable in Ubuntu distributions due to delays in patching, despite the vulnerability being addressed in the stable kernel release in December 2023. The vulnerability, stemming from a use-after-free condition in the io_uring interface, enables attackers to gain read and write access to previously freed pages, presenting a significant risk to affected systems running Linux kernel versions from 6.4 to 6.7.
Despite the benefits of io_uring in improving the performance of applications with high I/O operations, it has become a hotspot for security vulnerabilities, prompting its restriction or disablement in various environments. The exploitability of CVE-2024-0582 lies in its capability to allow data-only exploits, bypassing common exploit mitigations like Control-Flow Integrity (CFI). This vulnerability has been exploited using a data-only strategy, enabling non-privileged users to elevate their privileges to root level on affected systems, underscoring the urgency for prompt patching and mitigation measures.
The patch timeline reveals significant delays in addressing the vulnerability, with Ubuntu finally patching the issue in kernel versions 6.5.0-21 for Ubuntu 22.04 LTS and Ubuntu 23.10 on February 22, 2024. However, the delay in patching leaves Ubuntu distributions vulnerable, amplifying the urgency for immediate action to mitigate potential risks. The exploitability and impact of CVE-2024-0582 highlight the critical importance of timely security updates and proactive measures to safeguard against evolving threats targeting Linux-based systems.
