Back to Intelligence

Linux Kernel proc_readdir_de() (v6.18-rc5) Local Privilege Escalation — Detection and Hardening Guide

SA
Security Arsenal Team
May 4, 2026
6 min read

A high-severity local privilege escalation vulnerability has been identified in the Linux Kernel, specifically within the proc_readdir_de() function in version 6.18-rc5. This flaw constitutes a classic race condition leading to a Use-After-Free (UAF) scenario, allowing a local user with standard privileges to execute arbitrary code with kernel-mode rights, effectively achieving root access on the host.

For defenders, this is a critical threshold breach. Once an attacker gains a foothold via a web exploit or compromised user credential, a kernel LPE (Local Privilege Escalation) like this bypasses all userspace security controls (containerization, SELinux, AppArmor) and allows for full persistence, stealth, and lateral movement. Immediate patching and detection of exploit artifacts are required to maintain system integrity.

Technical Analysis

  • Affected Product: Linux Kernel
  • Affected Version: 6.18-rc5 (and potentially adjacent development branches)
  • Vulnerable Component: fs/proc/readdir.c (specifically the proc_readdir_de function)
  • Attack Vector: Local
  • Complexity: Low (public exploit code available on Exploit-DB)
  • Impact: Unauthorized Privilege Gain (Root / Kernel)

Vulnerability Mechanics

The vulnerability resides in the proc_readdir_de() function, responsible for reading directory entries within the /proc filesystem. The implementation fails to properly handle locking mechanisms during the traversal of directory entries.

Specifically, a Time-of-Check to Time-of-Use (TOCTOU) race condition exists where the pde (proc directory entry) can be freed (removed) by one thread while readdir is still attempting to access it in another thread. This creates a Use-After-Free condition. By manipulating the memory allocation patterns (heap grooming), an attacker can reclaim the freed memory with controlled data. When the kernel attempts to use the dangling pointer, it interprets the attacker-controlled data as a function pointer, leading to arbitrary code execution within the kernel context.

Exploitation Status

A Proof-of-Concept (PoC) exploit is publicly available (Exploit-DB 52550). While active exploitation in the wild has not been massively observed at the time of writing, the availability of a reliable PoC lowers the barrier for threat actors and insider threats significantly.

Detection & Response

Detecting kernel race conditions is challenging because the exploit happens entirely in kernel memory before returning to user space. However, reliable detection can be achieved by hunting for the post-exploitation artifacts (e.g., the deployment of SUID root shells) and monitoring kernel crash logs (Oops/Panic) which often occur during the exploit's trial-and-error phase of heap grooming.

Sigma Rules

The following Sigma rules identify suspicious kernel logs indicative of memory corruption and the creation of unauthorized SUID binaries, a common goal of this exploit.

YAML
---
title: Potential Linux Kernel Exploit - proc_readdir Memory Corruption
id: 9a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects kernel general protection faults or segfaults in the proc filesystem, which may indicate an exploit attempt against proc_readdir_de().
references:
  - https://www.exploit-db.com/exploits/52550
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: linux
  service: syslog
detection:
  selection:
    process.name: 'kernel'
    message|contains:
      - 'general protection fault'
      - 'rip: proc_readdir'
      - 'proc_readdir_de'
  condition: selection
falsepositives:
  - Legitimate kernel bugs in unstable hardware/drivers
level: high
---
title: Linux SUID File Creation in World-Writable Directories
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the creation of SUID binaries in /tmp, /var/tmp, or /dev/shm. This is a common tactic for Local Privilege Escalation exploits to plant a root shell.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: linux
  category: file_change
detection:
  selection:
    path|contains:
      - '/tmp'
      - '/var/tmp'
      - '/dev/shm'
    mode|contains: 'suid'
  condition: selection
falsepositives:
  - Rare administrative errors (legitimate apps rarely set SUID in /tmp)
level: critical

KQL (Microsoft Sentinel)

This query hunts for kernel panic messages in Syslog data ingested via the Syslog connector or the Linux Agent (OMS).

KQL — Microsoft Sentinel / Defender
Syslog
| where Facility == "kern"
| where SyslogMessage has "general protection fault" 
   or SyslogMessage has "BUG: unable to handle page"
| where SyslogMessage has "proc" or SyslogMessage has "readdir"
| extend HostName = Computer, TimeGenerated = TimeGenerated
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| summarize count() by TimeGenerated, HostName, SyslogMessage
| order by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for SUID binaries in temporary directories. If proc_readdir_de is exploited, it almost always results in a copy of /bin/bash or similar being set to SUID root to serve as a backdoor.

VQL — Velociraptor
-- Hunt for SUID binaries in common temp directories
SELECT FullPath, Mode.String AS Mode, Size, Mtime, Sys.
  CreateUserString AS Owner
FROM glob(globs='/tmp/*', '/var/tmp/*', '/dev/shm/*')
WHERE Mode =~ 's' AND Mode =~ 'u'

Remediation Script (Bash)

Use this script to audit your kernel version against the affected range and enforce immediate mitigations if patching is not possible.

Bash / Shell
#!/bin/bash

# Remediation Audit for proc_readdir_de() (v6.18-rc5)

echo "[*] Checking Linux Kernel Version..."
KERNEL_VER=$(uname -r)
VULN_VERSION="6.18-rc5"

echo "Current Kernel: $KERNEL_VER"

if [[ "$KERNEL_VER" == "$VULN_VERSION" ]]; then
    echo "[!] ALERT: System is running vulnerable kernel version $VULN_VERSION."
    echo "[!] Action Required: Update to the latest stable kernel immediately."
    # Generic update command - Distro specific commands may vary
    # echo "[*] Run: apt update && apt upgrade linux-image-generic" 
    # echo "[*] OR: yum update kernel"
else
    echo "[+] Kernel version does not match the specific vulnerable release."
fi

echo "[*] Scanning for unauthorized SUID files in /tmp..."
if find /tmp -perm -4000 -type f 2>/dev/null | grep -q .; then
    echo "[!] WARNING: SUID files found in /tmp. Investigate immediately:"
    find /tmp -perm -4000 -type f -ls 2>/dev/null
else
    echo "[+] No SUID files found in /tmp."
fi

Remediation

  1. Patch Immediately: The only reliable remediation for a kernel Use-After-Free vulnerability is to update to a patched version. Check with your Linux distribution vendor (Red Hat, Canonical, SUSE, etc.) for security advisories addressing proc_readdir_de().
  2. Workaround - Restrict Unprivileged User Namespaces: Since this exploit relies on complex memory manipulation, restricting access to user_namespaces can often break the heap grooming techniques used in these exploits.
    • Run: sysctl kernel.unprivileged_userns_clone=0
    • Persist in /etc/sysctl.conf.
  3. Strict File Permissions: Ensure world-writable directories (/tmp, /var/tmp, /dev/shm) are mounted with nosuid and nodev options to prevent the placement of SUID backdoors.
  4. Audit Logs: Review /var/log/kern.log and /var/log/syslog for recent "general protection fault" errors that might indicate prior exploitation attempts.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurelinux-kernelprivilege-escalationproc-readdir

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action