CVE-2011-1485

Linux PolicyKit Race Condition Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2011-1485. PoCs published by Metasploit, xi4oyu, zx2c4, including Metasploit module exploits/linux/local/pkexec.

AI-analyzed exploit summary This Metasploit module exploits a race condition in PolicyKit's pkexec (CVE-2011-1485) to escalate privileges to root. It leverages a writable directory to execute arbitrary commands via a crafted payload.

Description

Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/35021

This Metasploit module exploits a race condition in PolicyKit's pkexec (CVE-2011-1485) to escalate privileges to root. It leverages a writable directory to execute arbitrary commands via a crafted payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: PolicyKit (polkit) versions prior to 0.96-2.el6_0.1 (RHEL6) and 0.96-2ubuntu1.1 (Ubuntu 10.10)
No auth needed
Prerequisites: Local access to a vulnerable system · Writable directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by xi4oyu · clocallinux
https://www.exploit-db.com/exploits/17942

This exploit leverages a race condition in pkexec (CVE-2011-1485) to gain root privileges by manipulating file permissions and executing a shell with elevated privileges. It uses pipes and process forking to exploit the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: pkexec (polkit)
No auth needed
Prerequisites: Local access to the system · pkexec binary present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by zx2c4 · clocallinux
https://www.exploit-db.com/exploits/17932

This exploit leverages a race condition in PolicyKit (CVE-2011-1485) by using inotify to detect when /proc/PID is accessed and then executing a setuid binary to trick pkexec into granting root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: PolicyKit (polkit-1) <= 0.101
No auth needed
Prerequisites: Presence of a setuid binary (e.g., /usr/bin/chsh) · PolicyKit version <= 0.101 without backported fixes
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Pashkela · poc
https://github.com/Pashkela/CVE-2011-1485

This repository contains a functional exploit for CVE-2011-1485, a local privilege escalation vulnerability in PolicyKit (pkexec). The exploit leverages a race condition in pkexec to gain root privileges by manipulating file permissions and executing arbitrary commands.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: PolicyKit (pkexec)
No auth needed
Prerequisites: Local access to the target system · Presence of pkexec binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GREAT
by xi4oyu, 0a29406d9794e4f9b30b3c5d6702c708 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/pkexec.rb

This Metasploit module exploits a race condition in PolicyKit's pkexec (CVE-2011-1485) to escalate privileges to root. It leverages a time-of-check to time-of-use (TOCTOU) vulnerability by manipulating file descriptors and environment variables during pkexec execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: PolicyKit pkexec (versions <= 0.101)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · pkexec installed and vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:086
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-0455.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2319
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8424
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1117-1
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201204-06.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48817

Scores

EPSS 0.0529
EPSS Percentile 91.5%

Details

CWE
CWE-362
Status published
Products (1)
redhat/policykit 0.96
Published May 31, 2011
Tracked Since Feb 18, 2026