CVE-2006-3824

Sun Solaris - Kernel Memory Exposure via sysinfo System Call

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-3824. PoCs published by Marco Ivaldi, prdelka.

AI-analyzed exploit summary This exploit leverages a signedness error in the Solaris sysinfo(2) system call to trigger a kernel memory leak by passing a 0 variable count argument, causing a -1 argument to be used by the copyout function. It dumps kernel memory to a specified file.

Description

systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness error or integer underflow.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocalsolaris
https://www.exploit-db.com/exploits/2241

This exploit leverages a signedness error in the Solaris sysinfo(2) system call to trigger a kernel memory leak by passing a 0 variable count argument, causing a -1 argument to be used by the copyout function. It dumps kernel memory to a specified file.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Solaris 10 (SPARC and x86) without patches 118833-09 or 118855-06
No auth needed
Prerequisites: Local access to a vulnerable Solaris 10 system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by prdelka · clocalsolaris
https://www.exploit-db.com/exploits/2067

This exploit leverages an integer overflow in Solaris' sysinfo() system call to disclose kernel memory. It allocates a large buffer and writes kernel memory contents to a file specified by the user.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Solaris <= 10
No auth needed
Prerequisites: Local access to a vulnerable Solaris system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016555
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440849/100/100/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2936
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21148
Various Sources third-party-advisory x_refsource_idefense
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19104
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440986/100/100/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27901

Scores

EPSS 0.0098
EPSS Percentile 57.7%

Details

Status published
Products (1)
sun/solaris 10.0 (2 CPE variants)
Published Jul 25, 2006
Tracked Since Feb 18, 2026