CVE-2009-1046

Linux Kernel 2.6.28-2.6.28.4 - Denial of Service via UTF-8 Console Character Selection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1046. PoCs published by sgrakkyu.

AI-analyzed exploit summary This exploit targets a memory corruption vulnerability (off-by-one/two) in the Linux kernel's Virtual Console UTF-8 set_selection() function (CVE-2009-1046). It leverages SCTP socket operations and kernel heap manipulation to achieve local privilege escalation by overwriting kernel structures.

Description

The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an "off-by-two memory error." NOTE: it is not clear whether this issue crosses privilege boundaries.

Exploits (1)

exploitdb WORKING POC VERIFIED
by sgrakkyu · clocallinux_x86-64
https://www.exploit-db.com/exploits/9083

This exploit targets a memory corruption vulnerability (off-by-one/two) in the Linux kernel's Virtual Console UTF-8 set_selection() function (CVE-2009-1046). It leverages SCTP socket operations and kernel heap manipulation to achieve local privilege escalation by overwriting kernel structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel <= 2.6.28.3
No auth needed
Prerequisites: x86-64 architecture · SLUB allocator · SCTP stack availability · Virtual console attached to stdout
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33672
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-751-1
Patch mailing-list x_refsource_mlist
http://lists.openwall.net/linux-kernel/2009/02/02/364
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-0451.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/02/12/9
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/02/12/10
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34981
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1800
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/02/12/11
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34917
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1787
Patch mailing-list x_refsource_mlist
http://lists.openwall.net/linux-kernel/2009/01/30/333
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35121

Scores

EPSS 0.0078
EPSS Percentile 51.1%

Details

CWE
CWE-399
Status published
Products (5)
linux/linux_kernel 2.6.25
linux/linux_kernel 2.6.28
linux/linux_kernel 2.6.28.1
linux/linux_kernel 2.6.28.2
linux/linux_kernel 2.6.28.3
Published Mar 23, 2009
Tracked Since Feb 18, 2026