CVE-2013-2094

Exploitation Summary

CVE-2013-2094 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 15, 2022. EIP tracks 10 public exploits from researchers including Vitaly Nikolenko, Andrea Bittau, sd.

AI-analyzed exploit summary This exploit leverages a vulnerability in the Linux kernel's perf_swevent_init function to achieve local privilege escalation by manipulating interrupt descriptor table entries and executing arbitrary kernel code.

Description

The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.

Exploits (10)

exploitdb WORKING POC VERIFIED

by Vitaly Nikolenko · clocallinux_x86-64

https://www.exploit-db.com/exploits/33589

View Code ZIP pw:eip

This exploit leverages a vulnerability in the Linux kernel's perf_swevent_init function to achieve local privilege escalation by manipulating interrupt descriptor table entries and executing arbitrary kernel code.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic (Ubuntu 12.04)

No auth needed

Prerequisites: Local access to the target system · Specific kernel versions (Ubuntu 12.04 with listed kernel versions)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Andrea Bittau · clocallinux_x86-64

https://www.exploit-db.com/exploits/26131

View Code ZIP pw:eip

This exploit targets CVE-2013-2094, a Linux kernel vulnerability in the perf_swevent_enabled function, allowing local privilege escalation by manipulating performance event counters to overwrite kernel memory and execute arbitrary code.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel < 3.8.9

No auth needed

Prerequisites: Local access to the target system · Linux kernel version < 3.8.9

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by sd · clocallinux

https://www.exploit-db.com/exploits/25444

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in the Linux kernel (CVE-2013-2094) by manipulating the perf subsystem to achieve arbitrary kernel memory write access, ultimately escalating privileges to root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 2.6.37-3.x.x (x86_64)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel version · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 91 stars

by realtalk · local

https://github.com/realtalk/cve-2013-2094

View Code ZIP pw:eip

This is a rewritten and deobfuscated version of the original CVE-2013-2094 exploit, which leverages a privilege escalation vulnerability in the Linux kernel's perf_event_open system call. The exploit manipulates kernel memory to overwrite credentials and elevate privileges to root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (versions affected by CVE-2013-2094)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 16 stars

by hiikezoe · local

https://github.com/hiikezoe/libperf_event_exploit

View Code ZIP pw:eip

This PoC exploits CVE-2013-2094, a Linux kernel vulnerability in the perf_swevent_enabled functionality, allowing arbitrary memory writes via the perf_event_open syscall. It targets specific Android devices with known memory addresses for exploitation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (Android devices)

No auth needed

Prerequisites: Target device must be one of the listed Android devices with known memory addresses

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by Pashkela · poc

https://github.com/Pashkela/CVE-2013-2094

View Code ZIP pw:eip

This is a functional local privilege escalation exploit for CVE-2013-2094, targeting Linux kernels 2.6.32/2.6.37 to 3.8.10 via a PERF_EVENTS vulnerability. The exploit manipulates kernel memory to achieve root access without requiring a backconnect.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 2.6.32/2.6.37 - 3.8.10

No auth needed

Prerequisites: Local access to a vulnerable Linux system · Compilation environment for C code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by timhsutw · remote

https://github.com/timhsutw/cve-2013-2094

View Code ZIP pw:eip

This is a functional local privilege escalation exploit for CVE-2013-2094, targeting a vulnerability in the Linux kernel's PERF_EVENT subsystem. It leverages memory corruption to overwrite kernel structures and achieve root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 2.6.37-3.8.8 (x86)

No auth needed

Prerequisites: Access to /dev/ptmx · System.map file for kernel symbol resolution · Vulnerable kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by vnik5287 · remote

https://github.com/vnik5287/CVE-2013-2094

View Code ZIP pw:eip

This is a local privilege escalation exploit for CVE-2013-2094 targeting Ubuntu 12.04 kernels (3.2.0-23, 3.2.0-29, 3.5.0-23). It leverages a vulnerability in the perf_swevent_init function to overwrite kernel memory and escalate privileges to root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic on Ubuntu 12.04

No auth needed

Prerequisites: Local access to the target system · Vulnerable kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by letsr00t · poc

https://github.com/letsr00t/CVE-2013-2094

View Code ZIP pw:eip

This is a privilege escalation exploit for CVE-2013-2094, targeting a vulnerability in the Linux kernel's perf_swevent_init function. It manipulates kernel memory to achieve root access by exploiting a race condition in the performance events subsystem.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 2.6.37-3.x.x x86_64

No auth needed

Prerequisites: Access to a vulnerable Linux kernel version · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by tarunyadav · poc

https://github.com/tarunyadav/fix-cve-2013-2094

View Code ZIP pw:eip

This script automates the mitigation of CVE-2013-2094 by downloading kernel packages and compiling a systemtap script into a kernel module. It is designed to patch the vulnerability on a specified kernel version.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (specific version not specified)

Auth required

Prerequisites: Access to a system with the vulnerable kernel · Root privileges to install packages · Debuginfo repository enabled

MITRE ATT&CK