CVE-2003-0127

EXPLOITED

Linux kernel <2.2.25-2.4.21 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2003-0127 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including KuRaK, Wojciech Purczynski, [email protected].

AI-analyzed exploit summary This exploit targets a Linux kernel vulnerability (CVE-2003-0127) in versions up to 2.4.20, leveraging the kernel module loader to achieve local privilege escalation. It uses ptrace to inject shellcode into a modprobe process, executing arbitrary code as root.

Description

The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

Exploits (5)

exploitdb WORKING POC VERIFIED
by KuRaK · clocallinux
https://www.exploit-db.com/exploits/12

This exploit targets a Linux kernel vulnerability (CVE-2003-0127) in versions up to 2.4.20, leveraging the kernel module loader to achieve local privilege escalation. It uses ptrace to inject shellcode into a modprobe process, executing arbitrary code as root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel up to 2.4.20
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version <= 2.4.20
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Wojciech Purczynski · clocallinux
https://www.exploit-db.com/exploits/22363

This exploit leverages a race condition in the Linux kernel's ptrace() system call to attach to a root-spawned process (modprobe), allowing privilege escalation to superuser. It injects shellcode to bind a root shell on port 24876.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 2.2 and 2.4
No auth needed
Prerequisites: Access to a vulnerable Linux kernel (2.2 or 2.4) · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Wojciech Purczynski · clocallinux
https://www.exploit-db.com/exploits/3

This exploit leverages a race condition in the Linux kernel's kmod.c to ptrace a cloned process, allowing control over a privileged modprobe binary for local privilege escalation. It injects shellcode to spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 2.2.x and 2.4.x
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Kernel version 2.2.x or 2.4.x
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by [email protected] · clocallinux
https://www.exploit-db.com/exploits/22362

This exploit leverages a ptrace() system call vulnerability in Linux kernels 2.2 and 2.4 to gain superuser privileges by attaching to a root process during a specific time window. It injects shellcode to execute arbitrary commands or spawn a shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel 2.2 and 2.4
No auth needed
Prerequisites: Access to a vulnerable Linux system with kernel 2.2 or 2.4 · Ability to execute the exploit binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by anilkashyap01 · poc
https://github.com/anilkashyap01/Binary-Exploitation-and-Kernel-Escalation

This repository provides a detailed technical walkthrough of exploiting CVE-2002-0082 (mod_ssl buffer overflow) for initial access and CVE-2003-0127 (ptrace race condition) for privilege escalation. It includes step-by-step enumeration, exploit selection, compilation, and execution details.

Classification
Writeup 95%
Attack Type
Rce | Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache mod_ssl 2.8.4 (CVE-2002-0082) and Linux kernel 2.4.7-10 (CVE-2003-0127)
No auth needed
Prerequisites: Outdated Apache/mod_ssl version · Vulnerable Linux kernel version · Network access to target
devstral-2 · analyzed Apr 16, 2026 Full analysis →

References (20)

Core 20
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-103.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2003-088.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-270
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2004/dsa-423
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2003-098.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-336
Various Sources vendor-advisory x_refsource_caldera
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-020.0.txt
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-276
Mailing List vendor-advisory x_refsource_engarde
http://marc.info/?l=bugtraq&m=105301461726555&w=2
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2003:039
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2004/dsa-495
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200303-17.xml
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-311
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-332
Third Party Advisory mailing-list x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A254
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-145.html
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2003:038
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2003/dsa-312
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/628849

Scores

EPSS 0.0095
EPSS Percentile 76.9%

Details

VulnCheck KEV 2017-06-20
Status published
Products (47)
linux/linux_kernel 2.2.0
linux/linux_kernel 2.2.1
linux/linux_kernel 2.2.2
linux/linux_kernel 2.2.3
linux/linux_kernel 2.2.4
linux/linux_kernel 2.2.5
linux/linux_kernel 2.2.6
linux/linux_kernel 2.2.7
linux/linux_kernel 2.2.8
linux/linux_kernel 2.2.9
... and 37 more
Published Mar 31, 2003
Tracked Since Feb 18, 2026