LK-IO-URING-UAFPrivilege Escalation

io_uring UAF / Privesc

Series of io_uring bugs (2022-2024) — race condition in SQE handling yields a UAF on a kernel object, then ROP / pivot to modprobe_path.

§ Where this technique fits

LK-IO-URING-UAF is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
step 2 / 6

§ What commonly comes next

01
Dirty Pagetable
LK-DIRTY-PAGETABLE · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

io_uring UAF → modprobe_path overwrite → root

§ What commonly comes next