CVE-2007-4573

Linux kernel <2.6.22.7 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-4573. PoCs published by Robert Swiecki, Wojciech Purczynski.

AI-analyzed exploit summary This exploit targets a Linux kernel vulnerability in the ia32syscall emulation, allowing local privilege escalation by manipulating the GS segment register to overwrite UID/EUID/SUID values in kernel memory.

Description

The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Robert Swiecki · clocallinux_x86-64
https://www.exploit-db.com/exploits/4460

This exploit targets a Linux kernel vulnerability in the ia32syscall emulation, allowing local privilege escalation by manipulating the GS segment register to overwrite UID/EUID/SUID values in kernel memory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (x86_64) with ia32syscall emulation
No auth needed
Prerequisites: x86_64 Linux system with vulnerable kernel · Local user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Wojciech Purczynski · clocallinux
https://www.exploit-db.com/exploits/30604

This exploit targets a Linux kernel privilege escalation vulnerability (CVE-2007-4573) in the ia32syscall emulation. It manipulates kernel memory via ptrace to overwrite UID/EUID/SUID values, granting root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel < 2.4.35.3 and < 2.6.22.7
No auth needed
Prerequisites: Local access to the system · x86_64 architecture
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (39)

Core 39
Core References
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-518-1
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0937.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27212
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27227
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0938.html
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_53_kernel.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1018748
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26953
Mailing List vendor-advisory x_refsource_fedora
http://fedoranews.org/updates/FEDORA-2007-229.shtml
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/480451/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26978
Patch mailing-list x_refsource_mlist
http://lkml.org/lkml/2007/9/21/512
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26934
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26994
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26995
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2008/dsa-1504
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25774
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2008:008
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26919
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27912
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/3246
Various Sources mailing-list x_refsource_mlist
http://lkml.org/lkml/2007/9/21/513
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/480705/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1381
Mailing List mailing-list x_refsource_fulldisc
http://marc.info/?l=full-disclosure&m=119062587407908&w=2
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:196
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2008:105
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0936.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26955
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29058
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1754
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26917
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1378
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:195

Scores

EPSS 0.0082
EPSS Percentile 52.4%

Details

CWE
CWE-264
Status published
Products (1)
linux/linux_kernel < 2.4.35
Published Sep 24, 2007
Tracked Since Feb 18, 2026