CVE-2001-1036

GNU locate in findutils <4.1 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-1036. PoCs published by Josh Smith.

AI-analyzed exploit summary This exploit targets a boundary condition error in GNU locate (pre-4.0) by crafting a malicious database entry. It leverages a buffer overflow to execute arbitrary shellcode, potentially leading to remote code execution when a user runs the locate program.

Description

GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Josh Smith · clocallinux
https://www.exploit-db.com/exploits/21043

This exploit targets a boundary condition error in GNU locate (pre-4.0) by crafting a malicious database entry. It leverages a buffer overflow to execute arbitrary shellcode, potentially leading to remote code execution when a user runs the locate program.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU locate prior to version 4.0
No auth needed
Prerequisites: Ability to write to a locate database file used by other users
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6932
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/3127
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/200991
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/5477

Scores

EPSS 0.0090
EPSS Percentile 55.0%

Details

Status published
Products (4)
gnu/findutils 4.0
gnu/findutils 4.1
slackware/slackware_linux 7.1
slackware/slackware_linux 8.0
Published Aug 31, 2001
Tracked Since Feb 18, 2026