CVE-2010-3301

Linux kernel <2.6.36-rc4-git2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3301. PoCs published by ben hawkes.

AI-analyzed exploit summary This exploit leverages a vulnerability in the x86_64 Linux kernel's ia32syscall emulation to achieve local privilege escalation by manipulating system call parameters via ptrace and mapping a shellcode payload into kernel memory.

Description

The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.

Exploits (1)

exploitdb WORKING POC VERIFIED
by ben hawkes · clocallinux_x86-64
https://www.exploit-db.com/exploits/15023

This exploit leverages a vulnerability in the x86_64 Linux kernel's ia32syscall emulation to achieve local privilege escalation by manipulating system call parameters via ptrace and mapping a shellcode payload into kernel memory.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (x86_64) with ia32syscall emulation
No auth needed
Prerequisites: Local access to the target system · Vulnerable kernel version · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/09/16/3
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/09/16/1
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3117
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=634449
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
Third Party Advisory x_refsource_misc
http://sota.gen.nz/compat2/
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1041-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0842.html
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:247
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0298
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42758
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0070

Scores

EPSS 0.0382
EPSS Percentile 88.7%

Details

CWE
CWE-269
Status published
Products (6)
canonical/ubuntu_linux 9.10
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 10.10
linux/linux_kernel 2.6.36 (4 CPE variants)
linux/linux_kernel < 2.6.36
suse/linux_enterprise_real_time_extension 11 sp1
Published Sep 22, 2010
Tracked Since Feb 18, 2026