CVE-2010-3856

glibc < 2.11.3 and 2.12.x < 2.12.2 - Privilege Escalation via LD_AUDIT Environment Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2010-3856. PoCs published by Metasploit, zx2c4, Tavis Ormandy, including Metasploit module exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-3856, a privilege escalation vulnerability in glibc's dynamic linker by abusing the LD_AUDIT environment variable to load arbitrary shared objects with elevated privileges. It leverages libpcprofile.so to create a root-owned file in a trusted library path, which is then overwritten with a malicious shared object for code execution.

Description

ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/44025

This Metasploit module exploits CVE-2010-3856, a privilege escalation vulnerability in glibc's dynamic linker by abusing the LD_AUDIT environment variable to load arbitrary shared objects with elevated privileges. It leverages libpcprofile.so to create a root-owned file in a trusted library path, which is then overwritten with a malicious shared object for code execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: glibc versions before 2.11.3 and 2.12.x before 2.12.2
No auth needed
Prerequisites: Presence of libpcprofile.so in the system's library search path · A setuid executable to abuse (default: /bin/ping) · Write permissions in a directory (default: /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by zx2c4 · bashlocallinux
https://www.exploit-db.com/exploits/18105

This exploit leverages CVE-2010-3856 to achieve local privilege escalation by abusing the LD_AUDIT environment variable and libpcprofile.so to create a world-writable root-owned file, which is then replaced with a malicious shared library to spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: glibc dynamic linker (affected versions)
No auth needed
Prerequisites: Local access to a vulnerable system · Presence of libpcprofile.so · GCC to compile the payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tavis Ormandy · textlocallinux
https://www.exploit-db.com/exploits/15304

This exploit leverages CVE-2010-3856 in the GNU C library dynamic linker, where LD_AUDIT can load arbitrary DSOs with initialization routines executed as root. The PoC demonstrates privilege escalation by abusing libpcprofile.so to create a world-writable cron job file, leading to a root shell.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) versions 2.5, 2.11.1, 2.12.1, and 2.7
No auth needed
Prerequisites: Access to a system with vulnerable glibc · Ability to write to a trusted library path or influence LD_AUDIT
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tavis Ormandy, zx2c4, I Can, t Race You Either, Marco Ivaldi, Todor Donev, bcoles · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb

This Metasploit module exploits CVE-2010-3847, a privilege escalation vulnerability in glibc's dynamic linker. It abuses the LD_AUDIT environment variable to load arbitrary shared objects with elevated privileges, leveraging libpcprofile.so to achieve root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: glibc versions before 2.11.3 and 2.12.x before 2.12.2
No auth needed
Prerequisites: Presence of a SUID executable · libpcprofile.so in the system library search path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (24)

Core 24
Core References
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jun/14
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2010/Oct/344
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/44347
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201011-01.xml
Vendor Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100121017
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0872.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44025/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2122
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1009-1
Patch mailing-list x_refsource_mlist
http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/515545/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:212
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42787
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0025
Vendor Advisory vendor-advisory x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2010-0793.html
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Jun/18

Scores

EPSS 0.0945
EPSS Percentile 94.8%

Details

CWE
CWE-264
Status published
Products (50)
gnu/glibc 1.00
gnu/glibc 1.01
gnu/glibc 1.02
gnu/glibc 1.03
gnu/glibc 1.04
gnu/glibc 1.05
gnu/glibc 1.06
gnu/glibc 1.07
gnu/glibc 1.08
gnu/glibc 1.09
... and 40 more
Published Jan 07, 2011
Tracked Since Feb 18, 2026