CVE-2009-2692

HIGH EXPLOITED

Linux kernel <2.6.30.4, <2.4.37.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-2692 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including Metasploit, Ramon de C Valle, INetCop Security, including a Metasploit module exploits/linux/local/sock_sendpage.

AI-analyzed exploit summary This is a Metasploit module for CVE-2009-2692, a Linux kernel local privilege escalation vulnerability via sendpage. It exploits a NULL pointer dereference to gain root privileges.

Description

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/19933

This is a Metasploit module for CVE-2009-2692, a Linux kernel local privilege escalation vulnerability via sendpage. It exploits a NULL pointer dereference to gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2009-2692)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Kernel version affected by CVE-2009-2692
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ramon de C Valle · textlocallinux
https://www.exploit-db.com/exploits/9641

This exploit targets a Linux kernel vulnerability (CVE-2009-2692) in the sendpage function, allowing local privilege escalation. It supports multiple architectures (i386, x86_64, ppc, ppc64) and includes techniques like the personality trick and SELinux mmap_zero permission bypass.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2009-2692)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2009-2692
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ramon de C Valle · textlocallinux
https://www.exploit-db.com/exploits/9598

This exploit targets a NULL pointer dereference vulnerability in the Linux kernel's sock_sendpage() function, which can lead to local privilege escalation. It includes support for systems with COW credentials and SELinux enforcement by searching for exploitable types with mmap_zero permission.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions with sock_sendpage() NULL pointer dereference vulnerability)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2009-2692
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ramon de C Valle · clocallinux
https://www.exploit-db.com/exploits/9545

This exploit leverages a NULL pointer dereference in the Linux kernel's sock_sendpage() function (CVE-2009-2692) to achieve local privilege escalation by manipulating the task_struct to reset UID and GID values. It targets specific kernel versions and architectures, including i386, x86_64, ppc, and ppc64.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 2.4.4 to 2.4.37.4 and 2.6.0 to 2.6.30.4
No auth needed
Prerequisites: Vulnerable kernel version · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by INetCop Security · clocallinux
https://www.exploit-db.com/exploits/9479

This exploit leverages CVE-2009-2692, a local privilege escalation vulnerability in the Linux kernel's sock_sendpage() function. It manipulates kernel memory to escalate privileges to root by overwriting task_struct fields in the kernel.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.4/2.6 (32-bit)
Auth required
Prerequisites: Local access to the target system · Non-root user privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Zinx · textlocalandroid
https://www.exploit-db.com/exploits/9477

This exploit targets CVE-2009-2692, a local privilege escalation vulnerability in Android kernels prior to August 2009. The exploit leverages a kernel vulnerability to gain root access on affected devices.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android kernel (pre-August 2009)
No auth needed
Prerequisites: Physical or local access to the target Android device · Device running a vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Przemyslaw Frasunek · textlocallinux
https://www.exploit-db.com/exploits/9436

This exploit leverages a Linux kernel NULL pointer dereference vulnerability due to incorrect proto_ops initializations. It provides a tgz archive containing the exploit code, which can lead to local privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2009-2692)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2009-2692
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by spender · textlocallinux
https://www.exploit-db.com/exploits/9435

This is a writeup and commentary related to CVE-2009-2692, discussing an SELinux bypass vulnerability. It references external exploit code but does not contain functional exploit code itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Linux Kernel (SELinux)
No auth needed
Prerequisites: Access to the referenced exploit archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by jdvalentini · poc
https://github.com/jdvalentini/CVE-2009-2692

This repository contains a compiled binary for CVE-2009-2692, a Linux null pointer dereference vulnerability. The binary is derived from Exploit-DB exploit 9545 and was compiled under CentOS 4.8 for educational purposes.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2009-2692)
No auth needed
Prerequisites: Access to a vulnerable Linux system (e.g., CentOS 4.8)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GREAT
by Tavis Ormandy, Julien Tinnes <julien at cr0.org>, spender, rcvalle, egypt · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb

This Metasploit module exploits a Linux kernel NULL pointer dereference vulnerability (CVE-2009-2692) in the proto_ops struct, allowing local privilege escalation by mapping page 0 and executing arbitrary code in kernel context.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 2.4.4 to 2.4.37.4 and 2.6.0 to 2.6.30.4
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Kernel version within affected range · vm.mmap_min_addr not set or set to 0
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (39)

Core 39
Core References
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1233.html
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36278
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1865
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2009-1223.html
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512019/100/0/threaded
Broken Link, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37298
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36430
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37471
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2009-1222.html
Broken Link, Exploit mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
Issue Tracking, Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=516949
Broken Link x_refsource_confirm
https://issues.rpath.com/browse/RPL-3103
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/19933
Broken Link, Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2272
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/505751/100/0/threaded
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36289
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36327
Third Party Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100067254
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9477
Broken Link, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
Mailing List, Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/08/14/1
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36038
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/505912/100/0/threaded
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3316
Broken Link, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5

Scores

CVSS v3 7.8
EPSS 0.1756
EPSS Percentile 95.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-02-09
CWE
CWE-908
Status published
Products (12)
debian/debian_linux 4.0
linux/linux_kernel 2.4.4 - 2.4.37.5
redhat/enterprise_linux_desktop 4.0
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_eus 4.8
redhat/enterprise_linux_eus 5.3
redhat/enterprise_linux_server 4.0
redhat/enterprise_linux_server 5.0
redhat/enterprise_linux_server_aus 5.3
redhat/enterprise_linux_workstation 4.0
... and 2 more
Published Aug 14, 2009
Tracked Since Feb 18, 2026