CVE-2005-0750

Linux Kernel <2.6.11.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2005-0750. PoCs published by backdoored.net, qobaiashi, ilja van sprundel.

AI-analyzed exploit summary This exploit leverages a signed-buffer-index vulnerability in the Linux kernel's Bluetooth stack (CVE-2005-0750) to achieve local privilege escalation. It brute-forces kernel memory to overwrite a function pointer with shellcode, granting root access.

Description

The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.

Exploits (4)

exploitdb WORKING POC VERIFIED
by backdoored.net · clocallinux
https://www.exploit-db.com/exploits/25289

This exploit leverages a signed-buffer-index vulnerability in the Linux kernel's Bluetooth stack (CVE-2005-0750) to achieve local privilege escalation. It brute-forces kernel memory to overwrite a function pointer with shellcode, granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux Kernel < 2.6.11.5
Auth required
Prerequisites: Local access to the target system · Bluetooth stack enabled in the kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by qobaiashi · clocallinux
https://www.exploit-db.com/exploits/25288

This exploit targets a signed-buffer-index vulnerability in the Linux kernel's Bluetooth subsystem (CVE-2005-0750) to achieve local privilege escalation. It manipulates the `ecx` register to point to a controlled memory region containing shellcode that modifies kernel structures to grant root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (tested on 2.6.4 and 2.6.11)
No auth needed
Prerequisites: Local access to the target system · Bluetooth subsystem enabled · Kernel version 2.6.4 or 2.6.11
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb STUB VERIFIED
by ilja van sprundel · cdoslinux
https://www.exploit-db.com/exploits/25287

This code is a minimal stub for CVE-2005-0750, demonstrating the opening of an HCI socket with a negative protocol value. It lacks the actual exploit logic to trigger the signed-buffer-index vulnerability for privilege escalation.

Classification
Stub 80%
Attack Type
Lpe
Complexity
Trivial
Reliability
Theoretical
Target: Linux kernel (versions affected by CVE-2005-0750)
Auth required
Prerequisites: Local access to the target system · Bluetooth subsystem enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
clocallinux
https://www.exploit-db.com/exploits/926

This is a local privilege escalation exploit for CVE-2005-0750, targeting a vulnerability in the BlueZ Bluetooth stack on Linux kernels. It manipulates the `ecx` register to redirect execution to a shellcode payload, granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (BlueZ Bluetooth stack) versions 2.6.x
Auth required
Prerequisites: Local access to the system · BlueZ Bluetooth stack installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/19844
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-366.html
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-283.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111204562102633&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11719
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/12911
Issue Tracking vendor-advisory x_refsource_fedora
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-293.html
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-284.html
Vendor Advisory mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032913.html

Scores

EPSS 0.0060
EPSS Percentile 70.0%

Details

Status published
Products (46)
conectiva/linux 10.0
linux/linux_kernel 2.4.6
linux/linux_kernel 2.4.7
linux/linux_kernel 2.4.8
linux/linux_kernel 2.4.9
linux/linux_kernel 2.4.10
linux/linux_kernel 2.4.11
linux/linux_kernel 2.4.12
linux/linux_kernel 2.4.13
linux/linux_kernel 2.4.14
... and 36 more
Published Mar 27, 2005
Tracked Since Feb 18, 2026