CVE-2009-1894

PulseAudio <0.9.14 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1894. PoCs published by anonymous.

AI-analyzed exploit summary This exploit leverages a race condition in PulseAudio (CVE-2009-1894) to achieve local privilege escalation by manipulating hard links and executing a shell with elevated privileges. The PoC creates a temporary directory, links the PulseAudio binary and a malicious shell binary, then exploits the race condition to execute the shell as root.

Description

Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.

Exploits (2)

exploitdb WORKING POC VERIFIED
by anonymous · bashlocallinux
https://www.exploit-db.com/exploits/9207

This exploit leverages a race condition in PulseAudio (CVE-2009-1894) to achieve local privilege escalation by manipulating hard links and executing a shell with elevated privileges. The PoC creates a temporary directory, links the PulseAudio binary and a malicious shell binary, then exploits the race condition to execute the shell as root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: PulseAudio (versions prior to fix)
No auth needed
Prerequisites: Local access to the system · PulseAudio installed and running · GCC to compile the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · textlocallinux
https://www.exploit-db.com/exploits/9208

This exploit leverages a setuid vulnerability in PulseAudio to escalate privileges to root. It involves placing files in a specific directory and executing a binary to gain root access, then installing a setuid shell for persistence.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: PulseAudio (versions affected by CVE-2009-1894)
No auth needed
Prerequisites: Access to a system with vulnerable PulseAudio · Ability to place files in /tmp/pulseaudio-exp · Same filesystem as the PulseAudio binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35868
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:171
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51804
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:152
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35886
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35721
Exploit, Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=510071
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/505052/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1838
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35896
Various Sources x_refsource_misc
http://taviso.decsystem.org/research.html
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200907-13.xml
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-804-1

Scores

EPSS 0.0074
EPSS Percentile 49.6%

Details

CWE
CWE-362
Status published
Products (3)
pulseaudio/pulseaudio 0.9.9
pulseaudio/pulseaudio 0.9.10
pulseaudio/pulseaudio 0.9.14
Published Jul 17, 2009
Tracked Since Feb 18, 2026