CVE-2009-1185

udev < 141 - Privilege Escalation via Unverified NETLINK Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-1185. PoCs published by Metasploit, Jon Oberheide, kingcope, including Metasploit module exploits/linux/local/udev_netlink.

AI-analyzed exploit summary This exploit leverages CVE-2009-1185, a vulnerability in udev versions < 1.4.1 that fails to verify netlink messages, allowing local privilege escalation by sending crafted netlink messages from userland. The exploit writes a payload and a malicious binary to a writable directory, then triggers the vulnerability to execute the payload with elevated privileges.

Description

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/21848

This exploit leverages CVE-2009-1185, a vulnerability in udev versions < 1.4.1 that fails to verify netlink messages, allowing local privilege escalation by sending crafted netlink messages from userland. The exploit writes a payload and a malicious binary to a writable directory, then triggers the vulnerability to execute the payload with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: udev < 1.4.1
No auth needed
Prerequisites: Local access to the target system · Writable directory (e.g., /tmp) · udev version < 1.4.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jon Oberheide · clocallinux
https://www.exploit-db.com/exploits/8572

This exploit leverages a NETLINK message verification flaw in udev before 1.4.1 to trigger arbitrary command execution via the 95-udev-late.rules file, allowing local privilege escalation by sending a crafted NETLINK message from user space.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: udev < 1.4.1
No auth needed
Prerequisites: udev < 1.4.1 · presence of 95-udev-late.rules · udevd netlink PID · /tmp/run executable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kingcope · bashlocallinux
https://www.exploit-db.com/exploits/8478

This exploit leverages a vulnerability in the Linux kernel's netlink socket handling (CVE-2009-1185) to achieve local privilege escalation by injecting a malicious LD_PRELOAD library into a privileged process (udevd). The exploit crafts a netlink message to trigger the vulnerability and spawns a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel 2.6.x
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to compile and execute code · udevd process running with elevated privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by kcope, Jon Oberheide, egypt · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/udev_netlink.rb

This Metasploit module exploits CVE-2009-1185 in udev versions < 1.4.1 by sending spoofed netlink messages to gain root privileges. It writes a payload executable and an exploit binary to a writable directory, then executes them to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: udev < 1.4.1
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Writable directory (e.g., /tmp) · udev version < 1.4.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (39)

Core 39
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502752/100/0/threaded
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34801
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35766
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00006.html
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:104
Mailing List, Third Party Advisory vendor-advisory x_refsource_slackware
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.446399
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00462.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1772
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200904-18.xml
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1865
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34536
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022067
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-0427.html
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:103
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34776
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34731
Third Party Advisory mailing-list x_refsource_mlist
http://lists.vmware.com/pipermail/security-announce/2009/000060.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34753
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34785
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34787
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00463.html
Issue Tracking, Third Party Advisory x_refsource_misc
https://launchpad.net/bugs/cve/2009-1185
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1053
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00012.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-758-1
Third Party Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34771
Third Party Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504849/100/0/threaded
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34750
Broken Link x_refsource_confirm
http://wiki.rpath.com/Advisories:rPSA-2009-0063
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0009.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=495051
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8572

Scores

EPSS 0.8153
EPSS Percentile 99.6%

Details

CWE
CWE-346
Status published
Products (21)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 7.10
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 8.10
debian/debian_linux 4.0
debian/debian_linux 5.0
fedoraproject/fedora 9
fedoraproject/fedora 10
juniper/ctpview 7.1 (2 CPE variants)
juniper/ctpview 7.2
... and 11 more
Published Apr 17, 2009
Tracked Since Feb 18, 2026