Cyber Security News

Linux Kernel Vulnerability Let Attackers Escalate Privilege – PoC Released

A newly discovered vulnerability, CVE-2024-53141, in the Linux kernel’s IP sets framework has exposed a critical security flaw that allows local attackers to escalate privileges and potentially gain root access. 

The vulnerability, assigned a CVSS score of 7.8, uncovered by researchers st424204 and d4em0n, specifically affects the bitmap:ip set type within the netfilter subsystem. 

Linux Kernel IP Sets Vulnerability – CVE-2024-53141

The flaw stems from improper handling of IPSET_ATTR_CIDR parameters when TB[IPSET_ATTR_IP_TO] is not present.

“When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing,” explains the Ubuntu security advisory.

Exploitation Path

The security implications are severe. The exploit chain documented in the researchers’ repository demonstrates how attackers can leverage this flaw to achieve:

  • Out-of-bounds write access to the kernel heap, enabling address leakage.
  • Arbitrary value writing outside allocated memory bounds.
  • Conversion of out-of-bounds conditions into use-after-free vulnerabilities.
  • Kernel Address Space Layout Randomization (KASLR) bypass.
  • Redirection of kernel execution flow to attacker-controlled code.

The exploit code specifically targets the bitmap_ip implementation in net/netfilter/ipset/ip_set_bitmap_ip.c, where the vulnerability occurs in function calls like ip_to_id, which can be manipulated to return values far outside allocated memory ranges:

The PoC exploit leverages several advanced primitives:

  • Heap Address Leak: By exploiting the comment extension in ip_set_init_comment, attackers can leak kernel heap addresses from adjacent memory chunks.
  • Arbitrary OOB Write: Utilizing the counter extension in ip_set_init_counter, attackers can write controlled values outside allocated bounds.
  • Use-After-Free: By manipulating msg_msgseg structures, OOB writes are converted into UAFs, enabling further exploitation.
  • KASLR Bypass: The exploit uses heap spraying and object reallocation to leak kernel text addresses and defeat Kernel Address Space Layout Randomization.
  • RIP Control and ROP Chain Execution: Through precise heap manipulation, the attacker gains control of the instruction pointer (RIP), redirecting execution to a crafted ROP chain that overwrites the core_pattern kernel variable, ultimately spawning a root shell.
Risk FactorsDetails
Affected ProductsLinux kernel versions 2.6.39 to 4.19.325, 6.6.64, 6.11.11, and 6.12.2 (excluding patched versions)
ImpactPrivilege escalation, kernel-level code execution, KASLR bypass, heap memory corruption, and root shell access.
Exploit Prerequisites
Local access with low privileges (CVSS:3.1/PR:L). SUSE rates it as requiring high privileges (PR:H
CVSS 3.1 Score7.8 (High)

Affected Versions and Remediation

The vulnerability affects kernel versions from 2.6.39 through versions prior to 4.19.325, 6.6.64, 6.11.11, and 6.12.2. The exploit code in the repository specifically targets Linux kernel 6.6.62.

Security experts recommend immediate patching as the most effective mitigation. The fix, which adds proper range checks to the bitmap_ip_uadt function, has been incorporated into Linux kernels 4.19.325, 6.6.64, 6.11.11, 6.12.2, and later.

“This vulnerability provides threat actors with a powerful exploit chain that can ultimately lead to privilege escalation, KASLR bypass, and full kernel-level code execution,” reads the security advisory.

System administrators are advised to update affected systems immediately, as the public availability of exploit code significantly increases the likelihood of attacks targeting unpatched systems.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CISA Warns of Hackers Actively Exploiting Windows Server Update Services RCE Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations worldwide about active exploitation…

2 hours ago

New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts

A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based…

4 hours ago

Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics…

5 hours ago

TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage…

8 hours ago

Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on…

9 hours ago

Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with…

11 hours ago