CVE-2010-3904

HIGH KEV

Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation

Title source: metasploit

Exploitation Summary

CVE-2010-3904 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 12, 2023. EIP tracks 4 public exploits from researchers including Metasploit, Dan Rosenberg, redhatkaty, including a Metasploit module exploits/linux/local/rds_rds_page_copy_user_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-3904, a vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) implementation, to achieve local privilege escalation. It supports both live compilation and pre-compiled binaries for x86 and x64 architectures.

Description

The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/44677

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-3904, a vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) implementation, to achieve local privilege escalation. It supports both live compilation and pre-compiled binaries for x86 and x64 architectures.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel versions 2.6.30 to 2.6.36-rc8

Auth required

Prerequisites: Local access to a vulnerable Linux system · GCC for live compilation (optional) · Writable directory (e.g., /tmp)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Dan Rosenberg · clocallinux

https://www.exploit-db.com/exploits/15285

View Code ZIP pw:eip

This exploit leverages the RDS protocol vulnerability (CVE-2010-3904) in Linux kernels <= 2.6.36-rc8 to escalate privileges by overwriting arbitrary kernel memory. It resolves kernel symbols, manipulates security_ops, and triggers a payload to gain root access.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel <= 2.6.36-rc8

No auth needed

Prerequisites: RDS protocol support enabled in the kernel · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by redhatkaty · local

https://github.com/redhatkaty/-cve-2010-3904-report

View Code ZIP pw:eip

This is a functional local privilege escalation exploit for CVE-2010-3904, targeting a vulnerability in the Linux kernel's RDS protocol implementation. It leverages unchecked user-space memory access to overwrite a kernel function pointer and escalate privileges to root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel <= 2.6.36-rc8

No auth needed

Prerequisites: RDS protocol support enabled in the kernel · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC GREAT

by Dan Rosenberg, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/rds_rds_page_copy_user_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-3904, a privilege escalation vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) module. It leverages a flaw in the `rds_page_copy_user` function to execute arbitrary code as root on vulnerable kernels (2.6.30 to 2.6.36-rc8).

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel 2.6.30 to 2.6.36-rc8 with RDS module

Auth required

Prerequisites: Local access to a vulnerable Linux system · RDS kernel module available or loadable · Write permissions in a directory (default: /tmp)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3904

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/362983

Broken Link x_refsource_misc

http://www.vsecurity.com/download/tools/linux-rds-exploit.c

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-1000-1

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/520102/100/0/threaded

Broken Link, Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/46397

Broken Link x_refsource_confirm

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=799c10559d60f159ab2232203f222f18fa3c4a5f

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44677/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1024613

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2010-0842.html

Broken Link, Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2011/0298

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=642896

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00004.html

Third Party Advisory x_refsource_confirm

http://www.vmware.com/security/advisories/VMSA-2011-0012.html

Broken Link x_refsource_confirm

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36

Broken Link x_refsource_misc

http://www.vsecurity.com/resources/advisory/20101019-1/

Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2010-0792.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00008.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155751/vReliable-Datagram-Sockets-RDS-rds_page_copy_user-Privilege-Escalation.html

Scores

CVSS v3 7.8

EPSS 0.0222

EPSS Percentile 84.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-05-12

VulnCheck KEV 2023-05-12

InTheWild.io 2023-05-12

ENISA EUVD EUVD-2010-3882

CWE

CWE-1284

Status published

Products (18)

canonical/ubuntu_linux 6.06

canonical/ubuntu_linux 8.04

canonical/ubuntu_linux 9.04

canonical/ubuntu_linux 9.10

canonical/ubuntu_linux 10.04

canonical/ubuntu_linux 10.10

linux/linux_kernel < 2.6.36

opensuse/opensuse 11.2

opensuse/opensuse 11.3

redhat/enterprise_linux 5.0

... and 8 more

Published Dec 06, 2010

KEV Added May 12, 2023

Tracked Since Feb 18, 2026