CVE-2004-0996

cscope <15-5 - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-0996. PoCs published by Gangstuck.

AI-analyzed exploit summary This exploit leverages a symbolic link attack in Cscope versions up to 15.5, which creates predictable temporary files in /tmp. By creating malicious symlinks, an attacker can overwrite arbitrary files with the privileges of the user executing Cscope.

Description

main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Gangstuck · clocallinux
https://www.exploit-db.com/exploits/24750

This exploit leverages a symbolic link attack in Cscope versions up to 15.5, which creates predictable temporary files in /tmp. By creating malicious symlinks, an attacker can overwrite arbitrary files with the privileges of the user executing Cscope.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Cscope up to 15.5
No auth needed
Prerequisites: Write access to /tmp directory · Ability to predict or iterate over process IDs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Gangstuck · bashlocallinux
https://www.exploit-db.com/exploits/24749

This exploit leverages a symlink vulnerability in Cscope (versions up to 15.5) to overwrite arbitrary files by predicting temporary file names in /tmp. It brute-forces process IDs to create malicious symlinks that Cscope will follow when executed by an unsuspecting user.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Racy
Target: Cscope up to 15.5
No auth needed
Prerequisites: Access to the target system's /tmp directory · Ability to execute the script before the target user runs Cscope
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18125
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2732
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/381611
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/381443
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11697
Patch, Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2004/dsa-610
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110133485519690&w=2
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=306172
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/381506
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25159
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200412-11.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26235

Scores

EPSS 0.0115
EPSS Percentile 62.6%

Details

Status published
Products (10)
cscope/cscope 13.0
cscope/cscope 15.1
cscope/cscope 15.3
cscope/cscope 15.4
cscope/cscope 15.5
debian/debian_linux 3.0 (12 CPE variants)
gentoo/linux
sco/unixware 7.1.1
sco/unixware 7.1.3
sco/unixware 7.1.4
Published Jan 10, 2005
Tracked Since Feb 18, 2026