cbcvebase.
CVE-2013-2094
published 2013-05-14

CVE-2013-2094: The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain…

PriorityP186high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
47.71%
98.7th percentile
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 3.8.11-1 (bookworm)linux 3.8.11-1 (bookworm)
linuxlinux_kernel< 3.0.753.0.75
linuxlinux_kernel>= 0 < 3.8.11-13.8.11-1
linuxlinux_kernel>= 0 < 3.8.11-13.8.11-1
linuxlinux_kernel>= 0 < 3.8.11-13.8.11-1
linuxlinux_kernel>= 0 < 3.8.11-13.8.11-1
linuxlinux_kernel>= 3.1 < 3.2.453.2.45
linuxlinux_kernel>= 3.3 < 3.4.423.4.42
linuxlinux_kernel>= 3.5 < 3.8.93.8.9

Detection & IOCsextracted from sources · hover to see the quote

commandsyscall(SYS_perf_event_open, &attr, 0, -1, -1, 0)
bytes
0f 01 f8 e8 05 00 00 00 0f 01 f8 48 cf
  • Detect exploitation of CVE-2013-2094 by monitoring for perf_event_open syscall (syscall number 298 on x86_64) invocations with a large/negative config offset value (e.g., 0xFFFFFFFFL or -1/-2) from unprivileged processes, which is the trigger mechanism used in public exploits.
  • Monitor for mmap calls mapping executable memory at low kernel-adjacent addresses (e.g., 0x380000000, 0x1780000000) combined with perf_event_open syscall activity — a pattern consistent with CVE-2013-2094 exploit staging.
  • The Skygofree exploit payload targets the perf_swevent_init vulnerability (CVE-2013-2094) alongside other CVEs; look for exploit ELF files named 'run_root_shell', 'arrs_put_user.o', 'arrs_put_user', or 'poc' dropped on Android devices.
  • The CVE-2013-2094 exploit uses the IDT (Interrupt Descriptor Table) address to calculate the malicious perf_event_open offset; detection systems can look for SIDT instruction execution in user-space processes as a precursor indicator.
  • The exploit achieves privilege escalation by zeroing credential fields in the kernel task_struct; monitor for unexpected UID/GID transitions to 0 (root) immediately following perf_event_open syscall activity.
  • CVE-2013-2094 is exploitable via the perf_event_open system call on Linux kernels before 3.8.9; systems running affected kernel versions with perf_event_open accessible to unprivileged users are at risk.
  • ·The exploit payload targets specific kernel symbol addresses (perf_swevent_enabled, commit_creds, prepare_kernel_cred) that are hardcoded per Ubuntu kernel version; the offsets differ across targets and the exploit requires a target index to select the correct addresses.
  • ·The exploit behavior differs depending on whether CONFIG_JUMP_LABEL is set in the kernel build; the exploit auto-detects this and adjusts the element size (sz=4 vs sz=24) and base address accordingly.

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vulncheck8.4HIGH
cisa8.4HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
vendor_ubuntu8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.