CVE-2025-38236: MSG_OOB Flaw in Linux Kernel Enables Chrome Sandbox Escape

linux sandbox

Critical Kernel Flaw Uncovered by Google Project Zero

Google Project Zero researcher Jann Horn has discovered a severe Linux kernel vulnerability, CVE-2025-38236, that lets attackers escalate from native code execution inside Chrome’s renderer sandbox to full kernel control.

The flaw stems from the MSG_OOB (out-of-band) feature in UNIX domain sockets and impacts Linux kernel versions 6.9 and above. While developers rarely use this feature, its exposure inside browser sandboxes poses a serious security risk.

How the Vulnerability Originated

Horn identified the bug in early June 2025 during a review of recent Linux kernel changes. Developers originally added MSG_OOB in Linux 5.15 (2021) for niche Oracle applications. However, it remained enabled by default in UNIX domain sockets.

Due to gaps in Chrome’s syscall flag filtering, attackers could still run MSG_OOB operations. This design flaw triggers a use-after-free (UAF) condition. Once triggered, it allows them to manipulate kernel memory and gain elevated privileges.

Exploit Technique in Action

Horn demonstrated the attack on a Debian Trixie x86-64 system. His method involved:

  1. Freeing kernel memory through crafted socket operations.

  2. Reallocating it as pipe pages or kernel stacks.

  3. Using read primitives to copy kernel memory into user space.

  4. Applying page table manipulation and mprotect() for precise memory corruption.

Interestingly, CONFIG_RANDOMIZE_KSTACK_OFFSET, a security mitigation that randomizes stack offsets, actually helped the exploit. Horn used it to detect optimal stack alignment, improving the reliability of the attack.

Patches and Fixes Already Released

Linux maintainers have patched the kernel by disabling default MSG_OOB support in affected versions.
Meanwhile, Google updated Chrome’s sandbox to block MSG_OOB messages, closing this specific exploit path.

Key Security Takeaways

This vulnerability reveals two major lessons:

  • Rare kernel features can still become attack vectors if exposed to untrusted code.

  • Current fuzzing tools, such as Google’s syzkaller, face difficulties when exploring complex kernel data structures like socket buffers (SKBs). Horn’s related bug required eight syscalls to trigger, compared to the six needed for the one syzkaller found.

What Linux Users Should Do Now

To stay secure:

  • Update your Linux kernel to the patched version.

  • Upgrade Chrome to the latest release.

  • Monitor for signs of sandbox escapes or kernel-level privilege escalations.

 

Click here for more articles…………

Click below and ‘share’ this article!