CVE-2009-2698

HIGH EXPLOITED

Linux Kernel <2.6.19 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-2698 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including spender, Andi, INetCop Security.

AI-analyzed exploit summary This exploit targets CVE-2009-2698, a vulnerability in the Linux kernel's udp_sendmsg() function, allowing local privilege escalation. The code references a proof-of-concept (PoC) for x86/x64 architectures, with additional resources provided for compilation and execution.

Description

The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.

Exploits (4)

exploitdb WORKING POC VERIFIED
by spender · textlocallinux
https://www.exploit-db.com/exploits/9574

This exploit targets CVE-2009-2698, a vulnerability in the Linux kernel's udp_sendmsg() function, allowing local privilege escalation. The code references a proof-of-concept (PoC) for x86/x64 architectures, with additional resources provided for compilation and execution.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2009-2698)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2009-2698
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andi · clocallinux
https://www.exploit-db.com/exploits/9575

This exploit leverages a vulnerability in the Linux kernel (< 2.6.19) where the `udp_sendmsg` function can be manipulated via a callback function in `dst_entry`/`rtable` to escalate privileges to root. It uses inline assembly to set UID/GID values to zero, achieving local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel < 2.6.19
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Kernel version < 2.6.19
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by INetCop Security · clocallinux_x86
https://www.exploit-db.com/exploits/9542

This exploit targets a vulnerability in the Linux kernel (CVE-2009-2698) by manipulating the `ip_append_data()` function to achieve local privilege escalation to root. It uses a combination of memory manipulation and socket operations to trigger the vulnerability and execute arbitrary kernel code.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.6 < 2.6.19 (32bit)
No auth needed
Prerequisites: Local access to the target system · Kernel version within the vulnerable range
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 28 stars
by xiaoxiaoleo · poc
https://github.com/xiaoxiaoleo/CVE-2009-2698

This repository contains a functional exploit for CVE-2009-2698, a local privilege escalation vulnerability in the Linux kernel. The exploit code (36108.c) is compiled and executed on CentOS 4.8, successfully escalating privileges from a regular user to root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.6.9-89.EL (CentOS 4.8)
Auth required
Prerequisites: Local access to the target system · GCC compiler to compile the exploit
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (26)

Core 26
Core References
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1233.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2009-1223.html
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/512019/100/0/threaded
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37298
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022761
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36430
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00008.html
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11514
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36510
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37471
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2009-1222.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-852-1
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23073
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36108
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/08/25/1
Broken Link, Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:051
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Third Party Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100067254
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9142
Broken Link, Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8557
Broken Link, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.19
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3316
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37105
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=518034

Scores

CVSS v3 7.8
EPSS 0.2612
EPSS Percentile 96.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-02-09
CWE
CWE-476
Status published
Products (20)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 8.10
canonical/ubuntu_linux 9.04
fedoraproject/fedora 10
linux/linux_kernel < 2.6.19
redhat/enterprise_linux_desktop 4.0
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_eus 4.8
redhat/enterprise_linux_eus 5.3
... and 10 more
Published Aug 27, 2009
Tracked Since Feb 18, 2026