An RbTree Family Drama: Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations
William Liu, Savino Dicanosa
Hexacon 2025 · Day 2 · Main Stage
In this Hexacon talk, security researchers William Liu of NVIDIA and Savino Dicanosa, an independent researcher, unveiled a sophisticated Linux kernel zero-day exploit, dubbed "An RbTree Family Drama." This presentation details **CVE-2025-38001**, a critical vulnerability found within the Linux network scheduler (traffic controller) subsystem. The researchers, part of the Crusaders of Rust Security Research Group, demonstrate how a seemingly innocuous kernel soft lockup can be escalated through intricate **Red-Black Tree (RB-tree)** manipulations into a full page Use-After-Free (UAF) and ultimately, arbitrary code execution, achieving root privileges.
AI review
This is exactly the kind of research that makes conference review worth doing. Liu and Dicanosa don't just find a bug — they build a complete, multi-stage exploitation chain from a soft lockup through RB-tree manipulation to page UAF to root, then do it *again* on hardened targets using type confusion, xstats leakage, and a prefetch side channel for KASLR bypass. The fact that they pulled $82K in bounties, broke the Kernel CTF proof-of-work hard enough to get it permanently retired, and still had the depth to document mitigation bypasses in detail tells you everything about the caliber of…