CVE-2004-1235

Linux kernel <2.6.11 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-1235. PoCs published by sd, Tim Hsu, Paul Starzetz.

AI-analyzed exploit summary This exploit targets a local privilege escalation vulnerability in Linux kernels 2.4 and 2.6 via sys_uselib. It manipulates memory mappings and VMA structures to achieve root access by exploiting race conditions and memory management flaws.

Description

Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.

Exploits (3)

exploitdb WORKING POC VERIFIED
by sd · clocallinux
https://www.exploit-db.com/exploits/895

This exploit targets a local privilege escalation vulnerability in Linux kernels 2.4 and 2.6 via sys_uselib. It manipulates memory mappings and VMA structures to achieve root access by exploiting race conditions and memory management flaws.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 2.4 and 2.6
Auth required
Prerequisites: Local access to the system · Ability to compile and execute C code · Approximately 1GB of free filesystem space
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tim Hsu · clocallinux
https://www.exploit-db.com/exploits/778

This exploit targets a race condition in the Linux kernel 2.4 series' `uselib()` system call to achieve local privilege escalation. It manipulates memory mappings and LDT entries to execute arbitrary code in kernel mode, ultimately resetting UIDs to gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 2.4 series
No auth needed
Prerequisites: Local access to a vulnerable Linux 2.4 system · Ability to compile and execute C code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Paul Starzetz · clocallinux
https://www.exploit-db.com/exploits/744

This exploit targets a race condition in the Linux kernel's binfmt_elf uselib VMA handling (CVE-2004-1235) to achieve local privilege escalation. It manipulates memory mappings and LDT entries to execute arbitrary kernel code, ultimately gaining root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2004-1235)
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version vulnerable to CVE-2004-1235
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-017.html
Issue Tracking vendor-advisory x_refsource_fedora
https://bugzilla.fedora.us/show_bug.cgi?id=2336
Various Sources x_refsource_misc
http://isec.pl/vulnerabilities/isec-0021-uselib.txt
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-016.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20163
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1082
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
Third Party Advisory, VDB Entry x_refsource_confirm
http://www.securityfocus.com/advisories/7804
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1070
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20162
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-043.html
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2005/0001/
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-092.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1067
Third Party Advisory, VDB Entry vendor-advisory x_refsource_fedora
http://www.securityfocus.com/advisories/7805
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1069
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2005_01_sr.html
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/12190
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18800
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110512575901427&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9567
Third Party Advisory, VDB Entry vendor-advisory x_refsource_fedora
http://www.securityfocus.com/advisories/7806
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20202
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20338

Scores

EPSS 0.0289
EPSS Percentile 85.1%

Details

Status published
Products (34)
avaya/converged_communications_server 2.0
avaya/intuity_audix
avaya/mn100
avaya/modular_messaging_message_storage_server 1.1
avaya/modular_messaging_message_storage_server 2.0
avaya/network_routing
avaya/s8300 r2.0.0
avaya/s8300 r2.0.1
avaya/s8500 r2.0.0
avaya/s8500 r2.0.1
... and 24 more
Published Apr 14, 2005
Tracked Since Feb 18, 2026