cbcvebase.
CVE-2015-0565
published 2020-02-25

CVE-2015-0565: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
13.25%
95.9th percentile
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiannacl
googlenative_client
naclnacl

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36311.tar.gz
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36310.tar.gz
filenamerowhammer_escape_test.c
filenameinject_bit_flip_for_testing.patch
commandCLFLUSH
  • Detect use of the CLFLUSH instruction within NaCl sandbox context; its presence in NaCl x86-64 validator-passed code is the core enabler of this rowhammer exploit.
  • Monitor for NaCl dyncode_create() syscall activity, which is the interface used by the exploit to load dynamically injected code with bit flips.
  • Flag NaCl sandbox escapes where read-only code regions are modified, producing instruction sequences that fail the NaCl x86-64 validator post-execution.
  • ·The NaCl rowhammer exploit (CVE-2015-0565) only works on machines physically susceptible to the DRAM rowhammer problem; patched/newer NaCl versions disallow CLFLUSH in the validator, neutralizing this attack vector.
  • ·The Linux kernel rowhammer PoC (EDB-36310) requires /dev/mem to be enabled (CONFIG_STRICT_DEVMEM disabled) for its test mode; production exploitation targets PTE bit flips without this requirement.
  • ·Debian tracking shows CVE-2015-0565 remains open across multiple releases (bookworm, bullseye, forky, sid, trixie), meaning NaCl packages in these distributions may still permit CLFLUSH.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.