HabrMay 27, 2025

[Перевод] Как я нашёл уязвимость в ядре Linux при помощи модели o3

В этом посте я расскажу, как нашёл уязвимость нулевого дня в ядре Linux при помощи модели OpenAI o3. Уязвимость обнаружилась благодаря одному лишь API o3 — не потребовались никакая дополнительная настройка, агентские фреймворки и инструменты. Недавно я занимался аудитом уязвимостей ksmbd. ksmbd — это « сервер ядра Linux, реализующий в пространстве ядра протокол SMB3 для передачи файлов по сети ». Я приступил к этому проекту специально для того, чтобы взять отдых от разработки связанных с LLM инструментов, но после релиза o3 не мог избежать искушения и не использовать в качестве небольшого бенчмарка способностей o3 баги, найденные мной в ksmbd. В одном из следующих постов я расскажу о показателях o3 при обнаружении всех этих багов, а сегодня мы поговорим о том, как в процессе моего бенчмаркинга o3 обнаружила уязвимость нулевого дня. Найденной уязвимости присвоили обозначение CVE-2025-37899 (её патч выложен на Github ), это use-after-free в обработчике команды SMB logoff . Для понимания уязвимости необходимо знать о работе конкурентных подключений к серверу и о том, как они в определённых обстоятельствах могут обмениваться различными объектами. Модели o3 удалось разобраться в этом и найти место, где конкретный объект с автоматическим подсчётом ссылок освобождался, но продолжал оставаться доступным для другого потока. Насколько я понимаю, это будет первым публичным рассказом об уязвимости подобного типа, обнаруженной LLM.

https://habr.com/ru/articles/912916/

#openai_o3 #o3 #llm #уязвимости #useafterfree #large_language_models #большие_языковые_модели

Как я нашёл уязвимость в ядре Linux при помощи модели o3

В этом посте я расскажу, как нашёл уязвимость нулевого дня в ядре Linux при помощи модели OpenAI o3. Уязвимость обнаружилась благодаря одному лишь API o3 — не потребовались никакая дополнительная...

Хабр
Walk NewsMar 22, 2025
https://www.walknews.com/834924/ 【セキュリティ ニュース】「Chrome」に「クリティカル」脆弱性 – アップデートで修正(1ページ目 / 全1ページ):Security NEXT #Chrome134.0.6998.118 #Chrome脆弱性 #CVE20252476 #GoogleLensの脆弱性 #Science #Science&Technology #Security #Technology #UseAfterFree #クリティカルなセキュリティアップデート #セキュリティ #テクノロジー #ニュース #リモートコード実行 #対策 #科学 #科学&テクノロジー
【セキュリティ ニュース】「Chrome」に「クリティカル」脆弱性 – アップデートで修正(1ページ目 / 全1ページ):Security NEXT

Googleは現地時間2025年3月19日、同社ブラウザ「Chrome」における深刻な脆弱性を解消したセキュリティアップデートをリリースした。WindowsおよびmacOS向けに「Chrome 134.0.6998.118」「同134.0.6998.117」、Linux向けに「同134.0.6998.117」をリリースしたもの。今回のアップデートでは、セキュリティに関する2件の修正を実施した。このうち1件については、脆弱性「CVE-2025-2476」への対応であることを明らかにしている。「Google Lens」に判明した解放後のメモリを使用するいわゆる「Use After Free」の脆弱性で、3月5日に報告を受けたという。重要度を4段階中、もっとも高い「クリティカル(Critical)」とレーティングした。同社では、今後数日から数週間をかけて同アップデートを展開する予定。あわせて拡張安定版を更新しており、WindowsおよびmacOS向けに「同134.0.6998.89」を提供している。(Security NEXT - 2025/03/21 ) ツイート 関連リンク Chrome Google PR関連記事エンプラサーバなどに採用されるAMI製「BMC」にRCE脆弱性 KDDIのホームゲートウェイ「HGW-BL1500HM」に複数脆弱性 「FortiOS」脆弱性や不正コード混入「Githubアクション」の悪用に注意喚起 - 米政府 SAP、3月の月例パッチを公開 - 新規アドバイザリ21件を公開 サーバ製品「HPE Cray XD670」の管理ソフトに深刻な脆弱性 「Apache Tomcat」の脆弱性攻撃が発生 - 「WAF」回避のおそれも 図書館管理システム「Koha」に複数脆弱性 - アップデートで修正 PerconaのDB管理ツールに深刻な脆弱性 - 更新と侵害有無の確認を 「Microsoft Edge」にアップデート - Chromiumの脆弱性修正を反映 「Chrome」のGPU脆弱性修正、WebKit関連のゼロデイ脆弱性と判明

WALK NEWS
Harry SintonenOct 10, 2024
#TorBrowser users should update their browser immediately as they're also affected by the #CVE_2024_9680 #useafterfree #vulnerability - https://forum.torproject.org/t/new-release-tor-browser-13-5-7/15087
New Release: Tor Browser 13.5.7

by morgan | October 9, 2024 Tor Browser 13.5.7 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680 Users should update immediately. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.5.6 i...

Tor Project Forum
🛡 [email protected]/:~# Jun 11, 2024

Active Exploitation of Mali GPU Kernel Driver Flaw

Date: June 10, 2024
CVE: CVE-2024-4610
Vulnerability Type: [[Use-After-Free]] (UAF)
CWE: [[CWE-416]], [[CWE-119]]
Sources: Bleeping Computer, The Register, HotHardware

Synopsis

Arm has issued a security bulletin concerning a critical memory-related vulnerability in its Mali GPU kernel drivers, which is currently being exploited in the wild. This vulnerability affects Bifrost and Valhall GPU kernel drivers across multiple versions.

Issue Summary

The vulnerability, identified as [[CVE-2024-4610]], is a [[use-after-free]] flaw in the Mali GPU kernel drivers. This flaw allows a local non-privileged user to perform improper GPU memory operations, gaining access to already freed memory. The flaw impacts all versions of the Bifrost and Valhall drivers from r34p0 through r40p0.

Technical Key Findings

Use-after-free vulnerabilities occur when a program continues to use a pointer to a memory location after it has been freed. This can lead to serious issues such as information disclosure and arbitrary code execution. In the case of CVE-2024-4610, a local attacker could exploit this flaw to execute arbitrary code on the affected system, potentially leading to a full system compromise.

Vulnerable Products

  • Bifrost GPUs: Versions r34p0 to r40p0
  • Valhall GPUs: Versions r34p0 to r40p0
  • Devices: Including but not limited to Samsung Galaxy S20, Xiaomi Redmi K30, Motorola Edge 40, OnePlus Nord 2, Chromebooks, and various embedded systems.

Impact Assessment

Exploitation of this vulnerability can lead to severe consequences, including unauthorized access to sensitive information, system compromise, and potential deployment of malware. The vulnerability's exploitation in the wild indicates a significant risk, especially for high-value targets such as activists and journalists.

Patches or Workaround

Arm has released a patch for this vulnerability in version r41p0 of the Bifrost and Valhall GPU Kernel Driver, available since November 24, 2022. Users are advised to update their drivers to the latest version to mitigate this risk. Due to the complexity of the supply chain, some users may experience delays in receiving the updates.

Tags

#CVE-2024-4610 #MaliGPU #Arm #UseAfterFree #Vulnerability #Patch #CyberSecurity #AndroidDevices #SystemCompromise #HighRisk

Arm warns of actively exploited flaw in Mali GPU kernel drivers

Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild.

BleepingComputer
🛡 [email protected]/:~# Jun 5, 2024

PoC released for Critical Privilege Escalation Vulnerability in Linux Kernel

Date: June 5, 2024

CVE: CVE-2023-3390

Vulnerability Type: Use-After-Free

CWE: [[CWE-416]]

Sources: SSD-disclosure NVD, Debian Security Tracker, Snyk

Synopsis

A PoC Exploit has been released for Linux Kernel use-after-free vulnerability, identified as CVE-2023-3390, has been discovered in the Linux kernel's netfilter subsystem. This flaw, present in the nf_tables_api.c file, can allow a local attacker with the ability to execute low-privileged code on the target system to escalate privileges due to mishandled error handling. The vulnerability has been patched.

Issue Summary

CVE-2023-3390 is a critical vulnerability found in the Linux kernel's netfilter subsystem. The issue arises from a use-after-free error in the NFT_MSG_NEWRULE handling, potentially allowing attackers to exploit a dangling pointer within the same transaction. This flaw enables local attackers to gain elevated privileges on affected systems.

Technical Key Findings

The root cause of CVE-2023-3390, a critical privilege escalation vulnerability in the Linux kernel, lies in the improper management of integer values within the nft_parse_register_store function of the Netfilter subsystem. Specifically, this vulnerability is due to an integer overflow issue within the nft_validate_register_store function, which fails to correctly handle certain large values for register indices.

The CVE-2023-3390 vulnerability arises from an integer overflow in the validation logic of the Netfilter subsystem, which fails to properly handle large register values, allowing an attacker to perform out-of-bounds writes to kernel memory. This leads to potential privilege escalation, compromising the affected system. It is crucial to apply patches that correct this validation flaw to mitigate the risk.

For details, see the detailed root cause analysis at SSD Secure Disclosure

Vulnerable Products

The vulnerability affects Debian 11 (Linux Kernel 5.10)

Impact Assessment

Exploiting this vulnerability allows a local attacker to gain root access, which can lead to severe consequences such as system compromise, data breaches, and service disruptions.

Patches or Workaround

Patches for CVE-2023-3390 have been released. Administrators are advised to update their Linux kernel to versions that include the commit 1240eb93f0616b21c675416516ff3d74798fdc97.  an updated kernel in July 2023: https://tracker.debian.org/news/1449040/accepted-linux-510179-3-source-into-oldstable-security

Tags

#CVE-2023-3390 #LinuxKernel #PrivilegeEscalation #UseAfterFree #Netfilter #SecurityPatch #Debian #AlmaLinux #Ubuntu2404

SSD Advisory - Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation - SSD Secure Disclosure

Summary A vulnerability in the Linux kernel allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the netfilter subsystem. The issue results from the improper management … SSD Advisory – Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation Read More »

SSD Secure Disclosure
🛡 [email protected]/:~# May 15, 2024

VMware Patches Severe Security Flaws in Workstation and Fusion Products

Date: May 2024
CVE: CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270
Vulnerability Type: Use-After-Free, Heap Buffer Overflow, Information Disclosure
CWE: [[CWE-416]], [[CWE-122]], [[CWE-200]]
Sources: The Hacker News, Broadcom advisory

Issue Summary

Multiple severe security vulnerabilities have been identified in VMware Workstation and Fusion products. These vulnerabilities could potentially allow threat actors to execute arbitrary code, access sensitive information, and trigger denial-of-service (DoS) conditions. The affected versions include Workstation 17.x and Fusion 13.x.

Technical Key Findings

The vulnerabilities include a use-after-free issue in the Bluetooth device (CVE-2024-22267), a heap buffer overflow in the shader functionality (CVE-2024-22268), and two information disclosure flaws (CVE-2024-22269 and CVE-2024-22270). Exploiting these vulnerabilities requires local administrative privileges on a virtual machine, potentially allowing attackers to manipulate the VM's VMX process.

  • CVE-2024-22267 (CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host

|VMware Product|Version|Running On|CVE|CVSSv3|Severity|Fixed Version|Workarounds|Additional Documentation|
|---|---|---|---|---|---|---|---|---|
|Workstation|17.x|Any|CVE-2024-22267|9.3|Critical|17.5.2|KB91760|None|
|Fusion|13.x|OS X|CVE-2024-22267|9.3|Critical|13.5.2|KB91760|None|

  • CVE-2024-22268 (CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition

| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| -------------- | ------- | ---------- | -------------- | --------------------------------------------------------------------------------------------- | --------- | ------------- | ------------------------------------------------ | ------------------------ |
| Workstation | 17.x | Windows | CVE-2024-22268 | 7.1 | Important | 17.5.2 | KB59146 | None |
| Fusion | 13.x | OS X | CVE-2024-22268 | 7.1 | Important | 13.5.2 | KB59146 | None |

  • CVE-2024-22269 (CVSS score: 7.1) - An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine== to read privileged information contained in hypervisor memory== from a virtual machine

|VMware Product|Version|Running On|CVE|CVSSv3|Severity|Fixed Version|Workarounds|Additional Documentation|
|---|---|---|---|---|---|---|---|---|
|Workstation|17.x|Any|CVE-2024-22269|7.1|Important|17.5.2|KB91760|None|
|Fusion|13.x|OS X|CVE-2024-22269|7.1|Important|13.5.2|KB91760|None|

  • CVE-2024-22270 (CVSS score: 7.1) - An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine

| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| -------------- | ------- | ---------- | -------------- | --------------------------------------------------------------------------------------------- | --------- | ------------- | ----------- | ------------------------ |
| Workstation | 17.x | Any | CVE-2024-22270 | 7.1 | Important | 17.5.2 | None | None |
| Fusion | 13.x | OS X | CVE-2024-22270 | 7.1 | Important | 13.5.2 | None | None |

Vulnerable Products

  • VMware Workstation versions 17.x
  • VMware Fusion versions 13.x

Impact Assessment

Exploiting these vulnerabilities could lead to significant security breaches, including arbitrary code execution on the host machine, sensitive data exposure, and system crashes. The critical nature of these flaws underscores the need for immediate remediation to prevent potential attacks.

Patches or Workarounds

VMware has released patches for these vulnerabilities in versions 17.5.2 (Workstation) and 13.5.2 (Fusion). As temporary measures, users are advised to disable Bluetooth support and 3D acceleration features on virtual machines. However, there is no workaround for CVE-2024-22270.

Tags

#VMware #CVE-2024-22267 #CVE-2024-22268 #CVE-2024-22269 #CVE-2024-22270 #UseAfterFree #HeapBufferOverflow #InformationDisclosure #Virtualization #Workstation #Fusion #SecurityPatch

VMware Patches Severe Security Flaws in Workstation and Fusion Products

Researchers have uncovered a critical vulnerability in VMware's Bluetooth device, allowing code execution by malicious actors.

The Hacker News
Median HeadroomApr 21, 2024

We're taught that in C, using a pointer after free() is bad not because it will crash but because it might not.

Here's some #Rstats code:

a <- file(tempfile())
close(a)
b <- url('http://example.org')
readLines(a, 1)

Of course it has a mistake, but have you guessed what it does?

It's not a literal #UseAfterFree - R validates the access - but R connections are mostly indices into a special array. Once you close() an R connection, it becomes dangerous waste. Discard it as soon as possible for proper recycling.

Example Domain

Chema Alonso Mar 20, 2024
El lado del mal - GhostRace y los Speculative Concurrent Use-After-Free Exploits basados en Spectre_v1 https://www.elladodelmal.com/2024/03/ghostrace-y-los-speculative-concurrent.html #Exploiting #Spectre #UseAfterFree #Linux #Kernel #hacking #Intel #Hypervisor
GhostRace y los Speculative Concurrent Use-After-Free Exploits basados en Spectre_v1

Blog personal de Chema Alonso (CDO Telefónica, 0xWord, MyPublicInbox, Singularity Hackers) sobre seguridad, hacking, hackers y Cálico Electrónico.

Not SimonMar 19, 2024

Security researcher Man Yue Mo provides a vulnerability analysis on CVE-2023-6241 (no CVSS score, disclosed 14 December 2023) a Use After Free (UAF) vulnerability in Arm Mali GPU which allows a malicious Android app to gain arbitrary kernel code execution and root on the device. "What is interesting about this vulnerability is that it is a logic bug in the memory management unit of the Arm Mali GPU and it is capable of bypassing Memory Tagging Extension (MTE)" 🔗 https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/

#CVE_2023_6241 #vulnerability #UseAfterFree #ARM

Gaining kernel code execution on an MTE-enabled Pixel 8

In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.

The GitHub Blog