Key Findings:

• A use-after-free (UAF) vulnerability in the Linux kernel's io_uring subsystem can be exploited to bypass the BPF verifier and achieve container escape.

• The flaw, tracked as CVE-2025-40364, allows attackers to manipulate the BPF verifier and gain arbitrary kernel code execution.

• Proof-of-concept (PoC) exploits have been publicly released, demonstrating the feasibility of the attack.

Background

The Linux kernel's io_uring subsystem is a high-performance I/O interface designed to improve the efficiency of system calls. It is widely used in various applications, including container runtimes and cloud infrastructure.

Vulnerability Details

The UAF vulnerability in the io_uring subsystem is caused by a race condition that allows an attacker to free a kernel object while it is still in use. By exploiting this flaw, the attacker can bypass the BPF verifier, which is responsible for ensuring the safety of eBPF programs.

Exploitation and Impact

Successful exploitation of the vulnerability can lead to arbitrary kernel code execution, enabling attackers to break out of container environments and gain access to the host system. This can have serious consequences, allowing malicious actors to compromise the entire infrastructure.

Mitigations and Recommendations

Linux distributions have released patches to address the vulnerability. Users and system administrators are advised to apply these updates as soon as possible to mitigate the risk of exploitation.

Conclusion

The Linux kernel io_uring UAF vulnerability represents a significant security risk, as it can be leveraged to bypass the BPF verifier and achieve container escape. The availability of PoC exploits underscores the urgency for users to apply the necessary patches to protect their systems.

Sources

• https://securityonline.info/linux-kernel-io_uring-uaf-flaw-used-to-cheat-bpf-verifier-and-achieve-container-escape-poc-releases/

• https://x.com/fridaysecurity/status/1999678270137405646