CVE-2000-0994

OpenBSD - Local Privilege Escalation via PWD Environment Variable Format String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0994. PoCs published by K2.

AI-analyzed exploit summary This exploit leverages a format string vulnerability in the BSD `fstat` utility (sgid kmem) by manipulating the `PWD` environment variable to overwrite stack memory and execute shellcode, achieving privilege escalation to egid kmem.

Description

Format string vulnerability in OpenBSD fstat program (and possibly other BSD-based operating systems) allows local users to gain root privileges via the PWD environmental variable.

Exploits (1)

exploitdb WORKING POC VERIFIED
by K2 · clocalopenbsd
https://www.exploit-db.com/exploits/20256

This exploit leverages a format string vulnerability in the BSD `fstat` utility (sgid kmem) by manipulating the `PWD` environment variable to overwrite stack memory and execute shellcode, achieving privilege escalation to egid kmem.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: BSD fstat (confirmed on OpenBSD 2.7 i386)
No auth needed
Prerequisites: Access to a vulnerable BSD system with `fstat` installed · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=97068555106135&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5338
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1746

Scores

EPSS 0.0140
EPSS Percentile 69.0%

Details

Status published
Products (5)
openbsd/openbsd 2.3
openbsd/openbsd 2.4
openbsd/openbsd 2.5
openbsd/openbsd 2.6
openbsd/openbsd 2.7
Published Dec 19, 2000
Tracked Since Feb 18, 2026