CVE-2025-13350 is a use-after-free (UAF) vulnerability classified under CWE-416 that affects the legacy AF_UNIX garbage collector implementation in Ubuntu Linux 6.8 kernel versions from 6.8.0-56.58 up to but not including 6.8.0-84.84. The vulnerability stems from a backported upstream commit (8594d9b85c07) that aimed to prevent out-of-bounds skb_get() calls for out-of-band (OOB) socket buffers (SKBs). However, the legacy garbage collector still assumes OOB SKBs hold two references and calls kfree_skb() accordingly. In the affected Ubuntu kernel versions, OOB SKBs only have a single queue reference, causing the buffer to be freed prematurely while still reachable. Subsequent operations that walk the socket queue then dereference this freed memory, leading to a use-after-free condition. This memory corruption can be exploited locally by an attacker with low privileges to escalate their privileges reliably. The flaw does not require user interaction but does require local access with limited privileges. Ubuntu kernels that have integrated the newer garbage collector stack from commit 4090fa373f0e and mainline Linux kernels are not vulnerable as they no longer execute the legacy collector path. The vulnerability has a CVSS 4.0 base score of 7.1, reflecting high severity due to its impact on integrity and availability and the complexity of exploitation being moderate. No public exploits or active exploitation have been reported to date.

The primary impact of CVE-2025-13350 is local privilege escalation on affected Ubuntu Linux 6.8 systems. An attacker with limited local access can exploit the use-after-free vulnerability to execute arbitrary code with elevated privileges or cause denial of service by crashing kernel components. This undermines system confidentiality, integrity, and availability by allowing unauthorized privilege gains and potential kernel memory corruption. Organizations running vulnerable Ubuntu 6.8 kernels in environments where local user access is possible—such as multi-user systems, shared hosting, or developer workstations—face increased risk of compromise. The vulnerability could facilitate lateral movement or persistence by attackers who have gained initial footholds. Although no known exploits are currently in the wild, the reliable nature of the UAF condition makes it a significant threat if weaponized. Systems running newer Ubuntu versions or mainline kernels are not affected, limiting the scope but still posing risk to legacy or slow-to-patch environments.

To mitigate CVE-2025-13350, organizations should immediately identify and inventory all Ubuntu Linux 6.8 systems running kernel versions between 6.8.0-56.58 and 6.8.0-84.84. The primary remediation is to upgrade the kernel to version 6.8.0-84.84 or later, which includes the fix by removing the legacy garbage collector path and adopting the newer garbage collector stack. If upgrading is not immediately feasible, consider restricting local user access to trusted personnel only and implementing strict access controls to limit potential exploitation vectors. Employ kernel hardening features such as Kernel Page Table Isolation (KPTI) and address space layout randomization (ASLR) to increase exploitation difficulty. Regularly monitor system logs for unusual kernel or socket-related errors that could indicate attempted exploitation. Additionally, maintain up-to-date backups and incident response plans to quickly recover from any compromise. Avoid running untrusted code or services on affected systems until patched.