CVE-2005-0666

PaX <2005.03.05 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-0666. PoCs published by Christophe Devine.

AI-analyzed exploit summary This exploit leverages a PaX memory protection bypass (CVE-2005-0666) to achieve local privilege escalation by manipulating VMA mappings and executing shellcode via a cloned process. It targets systems with grsecurity patches and requires specific memory layout conditions.

Description

Unknown vulnerability in PaX from the September 2003 release to 2.2 before 2005.03.05, related to SEGMEXEC or RANDEXEC and VMA mirroring, allows local users and possibly remote attackers to bypass intended access restrictions and execute arbitrary code.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Christophe Devine · clocallinux

https://www.exploit-db.com/exploits/876

View Code ZIP pw:eip

This exploit leverages a PaX memory protection bypass (CVE-2005-0666) to achieve local privilege escalation by manipulating VMA mappings and executing shellcode via a cloned process. It targets systems with grsecurity patches and requires specific memory layout conditions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 2.4.29 with grsecurity-2.1.1-2.4.29-200501231159

No auth needed

Prerequisites: Local access · PaX/grsecurity-patched kernel · Specific memory layout conditions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/12729

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/392348

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/14489

Scores

EPSS 0.0253

EPSS Percentile 82.8%

Details

Status published

Products (11)

the_pax_team/pax_linux 2.2

the_pax_team/pax_linux 2.4.20

the_pax_team/pax_linux 2.4.21

the_pax_team/pax_linux 2.4.22

the_pax_team/pax_linux 2.4.23

the_pax_team/pax_linux 2.4.24

the_pax_team/pax_linux 2.4.25

the_pax_team/pax_linux 2.4.26

the_pax_team/pax_linux 2.4.27

the_pax_team/pax_linux 2.4.28

... and 1 more

Published May 02, 2005

Tracked Since Feb 18, 2026