LK-USERFAULTFDPrivilege Escalation

userfaultfd Race

Suspend kernel inside a critical section via userfaultfd → win race conditions deterministically (commonly used for nf_tables, ksmbd).

§ Where this technique fits

LK-USERFAULTFD is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
step 4 / 7

§ What commonly comes next

01
Dirty Pagetable
LK-DIRTY-PAGETABLE · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root

§ What commonly comes next