CVE-2011-4089

bzip2 < 1.0.5 - Local Arbitrary Code Execution via Temporary File Handling

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-4089. PoCs published by vladz.

AI-analyzed exploit summary This PoC exploits a race condition in the bzexe script (CVE-2011-4089) by using Inotify to detect when a root user executes a compressed binary, then replacing it with a malicious script to gain a root shell. It demonstrates a local privilege escalation via a symlink-like attack.

Description

The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

Exploits (1)

exploitdb WORKING POC VERIFIED

by vladz · clocallinux

https://www.exploit-db.com/exploits/18147

View Code ZIP pw:eip

This PoC exploits a race condition in the bzexe script (CVE-2011-4089) by using Inotify to detect when a root user executes a compressed binary, then replacing it with a malicious script to gain a root shell. It demonstrates a local privilege escalation via a symlink-like attack.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: bzip2 (bzexe) version 1.0.5-6

No auth needed

Prerequisites: Target system must have a binary compressed with bzexe · Attacker must have write access to /tmp · Root user must execute the compressed binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →