CVE-2012-0217

FreeBSD Intel SYSRET Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-0217. PoCs published by Metasploit, CurcolHekerLink, Shahriyar Jalayeri, including Metasploit module exploits/freebsd/local/intel_sysret_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-0217, a privilege escalation vulnerability in FreeBSD on 64-bit Intel processors. It leverages the SYSRET instruction to execute privileged code by triggering a general protection fault in kernel mode.

Description

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalfreebsd_x86-64
https://www.exploit-db.com/exploits/46508

This Metasploit module exploits CVE-2012-0217, a privilege escalation vulnerability in FreeBSD on 64-bit Intel processors. It leverages the SYSRET instruction to execute privileged code by triggering a general protection fault in kernel mode.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 8.3-RELEASE (amd64), FreeBSD 9.0-RELEASE (amd64)
Auth required
Prerequisites: Local shell access · 64-bit Intel processor · Vulnerable FreeBSD version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by CurcolHekerLink · clocalfreebsd
https://www.exploit-db.com/exploits/28718

This exploit leverages the SYSRET vulnerability (CVE-2012-0217) in FreeBSD 9.0 to achieve kernel privilege escalation by manipulating the Interrupt Descriptor Table (IDT) and executing arbitrary code in kernel mode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: FreeBSD 9.0
No auth needed
Prerequisites: FreeBSD 9.0 system with vulnerable kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Shahriyar Jalayeri · textlocalwindows_x86-64
https://www.exploit-db.com/exploits/20861

This exploit leverages the SYSRET vulnerability in Microsoft Windows kernel (Intel/x64) to disable code signing and escalate privileges to NT SYSTEM for a specified process. It is a proof-of-concept for CVE-2012-0217, addressed in MS12-042.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows kernel (Intel/x64) pre-MS12-042
No auth needed
Prerequisites: Vulnerable Windows kernel version · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Rafal Wojtczuk, John Baldwin, iZsh, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb

This Metasploit module exploits CVE-2012-0217, a privilege escalation vulnerability in FreeBSD on 64-bit Intel processors. It leverages the SYSRET instruction to execute privileged code by triggering a general protection fault in kernel mode.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 8.3-RELEASE (amd64), FreeBSD 9.0-RELEASE (amd64)
Auth required
Prerequisites: Local shell access on vulnerable FreeBSD system · 64-bit Intel processor · Writable directory (default /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (23)

Core 23
Core References
Various Sources mailing-list x_refsource_mlist
http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html
Various Sources vendor-advisory x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
Vendor Advisory vendor-advisory x_refsource_netbsd
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/55082
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-164A.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/28718/
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=813428
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201309-24.xml
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15596
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2501
Issue Tracking x_refsource_confirm
https://www.illumos.org/issues/2873
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2508
Various Sources mailing-list x_refsource_mlist
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
Vendor Advisory x_refsource_confirm
http://support.citrix.com/article/CTX133161
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46508/
Various Sources x_refsource_confirm
http://smartos.org/2012/06/15/smartos-news-3/
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/649219
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Scores

EPSS 0.8816
EPSS Percentile 99.5%

Details

CWE
CWE-119
Status published
Products (19)
citrix/xenserver 6.0
citrix/xenserver < 6.0.2
freebsd/freebsd < 9.0
illumos/illumos < r13723
joyent/smartos < 20120614
microsoft/windows_7 (2 CPE variants)
microsoft/windows_server_2003
microsoft/windows_server_2008 r2
microsoft/windows_xp
netbsd/netbsd < 6.0
... and 9 more
Published Jun 12, 2012
Tracked Since Feb 18, 2026