⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: Apply updates per vendor instructions..

CVE-2016-5195

CWE-362Race ConditionCWE-264CWE-284Improper Access Control51 documents17 sources
Severity
7.0HIGH
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-24
Exploit
Exploited in wild
Active exploitation observed
Affected products
11
Linux LinuxLinux Linux KernelPaloaltonetworks Pan-os+8 more
Timeline
PublishedNov 10
KEV addedMar 3
KEV dueMar 24
Latest updateAug 9
CISA Required Action: Apply updates per vendor instructions.

Description

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages5 packages

NVDlinux/linux_kernel2.6.223.2.83+9
CVEListV5linux/linux9ae0f87d009ca6c4aab2882641ddfc319727e3db9def52eb10baab3b700858003d462fcf17d62873+2
Debianlinux< 4.7.8-1+3
NVDpaloaltonetworks/pan-os5.17.0.14+1

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 16.04, 16.10, Enterprise Linux 5, 6.0, 7.0, 6.2, 6.4, 6.5, 6.6, 6.7, 7.1, Fedora 23, 24, 25

Patches

Patch: git.kernel.orgPatch: www.oracle.comPatch: github.com

🔴Vulnerability Details

8
Kernel
mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW2022-08-09
GHSA
GHSA-j68w-7qm9-fjqq: Race condition in mm/gup2022-05-13
Project0
In-the-Wild Series: Android Exploits - Project Zero2021-01-01
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero2020-07-01
Project0
Taking a page from the kernel&#39;s book: A TLB issue in mremap() - Project Zero2019-01-01

💥Exploits & PoCs

5
Exploit-DB
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)2016-11-28
Exploit-DB
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)2016-11-27
Exploit-DB
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)2016-10-26
Exploit-DB
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)2016-10-21
Exploit-DB
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)2016-10-19

🔍Detection Rules

17
YARA
Linux_Exploit_CVE_2016_5195_ab87c1ed
YARA
Linux_Exploit_CVE_2016_5195_ffa7f059
YARA
Linux_Exploit_CVE_2016_5195_d41c2c63
YARA
Linux_DirtyCow_Exploit
YARA
Linux_Exploit_CVE_2016_5195_7448814c

📋Vendor Advisories

12
CISA
Linux Kernel Race Condition Vulnerability2022-03-03
Cisco
Cisco TelePresence Video Communication Server Test Validation Script Issue2018-11-07
Android
CVE-2016-5195: Android Security Bulletin 2016-11-01 CVE: CVE-2016-5195 Severity: CRITICAL Affected AOSP versions: 32016-11-01
Cisco
Vulnerability in Linux Kernel Affecting Cisco Products: October 20162016-10-26
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerability2016-10-24

🕵️Threat Intelligence

1
Trendmicro
ZNIU: First Android Malware to Exploit Dirty COW2017-09-25

💬Community

5
Bugzilla
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle2017-11-22
Bugzilla
CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage [3.10.0-327.28.2.el7]2016-10-21
Bugzilla
CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage [3.10.0-327.28.3.el7]2016-10-21
Bugzilla
CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage [fedora-all]2016-10-20
Bugzilla
CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage2016-10-13