CVE-2006-2451

Linux Kernel 2.6.13-2.6.17.3 & 2.6.16-2.6.16.23 - DoS & Privilege Escalation via suid_dumpable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-2451. PoCs published by Marco Ivaldi, Sunay, Julien Tinnes.

AI-analyzed exploit summary This exploit leverages CVE-2006-2451 by manipulating the `PR_SET_DUMPABLE` prctl argument to create a core dump in a restricted directory, then uses logrotate to execute arbitrary commands as root. It creates a setuid helper binary to gain root privileges.

Description

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocallinux
https://www.exploit-db.com/exploits/2031

This exploit leverages CVE-2006-2451 by manipulating the `PR_SET_DUMPABLE` prctl argument to create a core dump in a restricted directory, then uses logrotate to execute arbitrary commands as root. It creates a setuid helper binary to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.6.13 to 2.6.17.4 (excluding 2.6.16.24)
No auth needed
Prerequisites: Ability to execute code on the target system · Access to /etc/logrotate.d directory · logrotate must be configured to run
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Sunay · bashlocallinux
https://www.exploit-db.com/exploits/2011

This exploit leverages a vulnerability in the `prctl` system call (CVE-2006-2451) to achieve local privilege escalation by manipulating core dump behavior and creating a cron job to set the SUID bit on a shell binary. The exploit is designed for Linux kernels 2.6.13 to 2.6.17.4 and 2.6.9-22.ELsmp.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 2.6.13 to 2.6.17.4 and 2.6.9-22.ELsmp
No auth needed
Prerequisites: Local access to the target system · Compilation tools (gcc) available on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocallinux
https://www.exploit-db.com/exploits/2006

This exploit leverages CVE-2006-2451, a Linux kernel vulnerability in the suid_dumpable feature (2.6.13 to 2.6.17.4 and 2.6.16 before 2.6.16.24). It abuses the PR_SET_DUMPABLE prctl argument to create a core dump in a restricted directory (/etc/cron.d), then injects a malicious cron job to gain root privileges via a setuid helper.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.6.13 to 2.6.17.4 and 2.6.16 before 2.6.16.24
No auth needed
Prerequisites: Local access to the vulnerable system · Vixie's crontab configuration (e.g., /etc/cron.d)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Julien Tinnes · clocallinux
https://www.exploit-db.com/exploits/2005

This exploit leverages a flaw in Linux kernels >= 2.6.13 where PR_SET_DUMPABLE allows a user to create a root-owned coredump in any directory. The exploit forges a malicious cron job to escalate privileges by manipulating the coredump file.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel >= 2.6.13
No auth needed
Prerequisites: Access to a vulnerable Linux system with kernel >= 2.6.13 · Ability to execute the exploit binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by dreyer & RoMaNSoFt · clocallinux
https://www.exploit-db.com/exploits/2004

This exploit leverages a Linux kernel vulnerability (CVE-2006-2451) in PRCTL core dump handling to achieve local privilege escalation. It manipulates core dump behavior to create a cron job that copies a root-owned shell to /tmp/sh, granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4)
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version within the affected range
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (33)

Core 33
Core References
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-488
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0574.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440117/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_17_sr.html
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_42_kernel.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2699
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439483/100/100/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440379/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440057/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439610/100/100/threaded
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_47_kernel.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016451
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20965
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18874
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-311-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27030
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21966
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_16_sr.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20953
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21498
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_49_kernel.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20986
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20991
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20960
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11336
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439869/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440118/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21179

Scores

EPSS 0.0439
EPSS Percentile 90.0%

Details

CWE
CWE-399
Status published
Products (32)
linux/linux_kernel 2.6.13
linux/linux_kernel 2.6.13.1
linux/linux_kernel 2.6.13.2
linux/linux_kernel 2.6.13.3
linux/linux_kernel 2.6.13.4
linux/linux_kernel 2.6.13.5
linux/linux_kernel 2.6.14 (6 CPE variants)
linux/linux_kernel 2.6.14.1
linux/linux_kernel 2.6.14.2
linux/linux_kernel 2.6.14.3
... and 22 more
Published Jul 07, 2006
Tracked Since Feb 18, 2026