An RbTree Family Drama: Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations

No ratings

Presented at Hexacon 2025 by

William Liu

Savino Dicanosa

CVE-2025-38001 is the story of how we exploited a Linux network scheduler 0-day for a 82k USD bounty by creating a novel red-black tree attack technique. We find that the manipulation of red-black node metadata can achieve a pointer copy primitive through a tree rebalance, ultimately unlocking more powerful attack capabilities. Our journey begins with an infinite loop bug, which we then convert into a use-after-free. From there, we develop a reliable, data-only exploit that compromises major Linux distributions and all baseline instances of Google’s kernelCTF. We subsequently adapt our approach to also defeat the instance hardened with state-of-the-art mitigations. Finally, we break the bounty program’s proof-of-work system and achieve the quickest submission ever.