Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free

A pretty boring (non-exploitable) yet widespread use-after-free vulnerability that was recently patched and affected Linux kernels since ~2013. It involves a race condition between the exit path for a process and /proc/<pid>/timers.

In this post, I explain the race and walk through exploitability analysis.