CVE-2014-0038

Linux Kernel recvmmsg Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2014-0038. PoCs published by Metasploit, rebel, saelo, including Metasploit module exploits/linux/local/recvmmsg_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-0038, a Linux kernel privilege escalation vulnerability in the recvmmsg system call. It targets specific Ubuntu 13.x kernels (3.8.0-19, 3.11.0-12, 3.11.0-15) by manipulating a timeout pointer to gain root access.

Description

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/40503

This Metasploit module exploits CVE-2014-0038, a Linux kernel privilege escalation vulnerability in the recvmmsg system call. It targets specific Ubuntu 13.x kernels (3.8.0-19, 3.11.0-12, 3.11.0-15) by manipulating a timeout pointer to gain root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 3.8.0-19, 3.11.0-12, 3.11.0-15 (Ubuntu 13.x)
No auth needed
Prerequisites: Access to a vulnerable Ubuntu 13.x system with one of the specified kernels · Ability to compile and execute the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rebel · clocallinux_x86-64
https://www.exploit-db.com/exploits/31347

This exploit leverages CVE-2014-0038, a vulnerability in the Linux kernel's recvmmsg system call in x32 ABI, to achieve local privilege escalation by corrupting kernel memory and overwriting a function pointer to execute arbitrary code with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 3.4+ with CONFIG_X86_X32=y (tested on Ubuntu 13.04/13.10)
No auth needed
Prerequisites: x32 ABI enabled in the kernel · Local access to the target system · Specific kernel versions with known offsets
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by saelo · clocallinux
https://www.exploit-db.com/exploits/31346

This exploit leverages CVE-2014-0038, a vulnerability in the X86_X32 recvmmsg syscall that allows arbitrary kernel memory writes. It targets the ptmx_fops release function pointer to achieve local privilege escalation by overwriting it with a user-controlled payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 3.11.0-12-generic (Ubuntu 13.10)
No auth needed
Prerequisites: Kernel symbols (PTMX_FOPS, TTY_RELEASE, etc.) must be resolvable · X86_X32 syscall support · Access to /dev/ptmx
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Kees Cook · cdoslinux
https://www.exploit-db.com/exploits/31305

This PoC exploits a bug in the Linux kernel's x32 compat layer for recvmmsg, causing a denial-of-service by triggering a kernel crash. It binds a UDP socket and calls recvmmsg with a malformed timeout parameter to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 3.4+ with x32 ABI support
No auth needed
Prerequisites: x32 ABI support in the kernel · ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 199 stars
by saelo · poc
https://github.com/saelo/cve-2014-0038

This is a local privilege escalation exploit for CVE-2014-0038, targeting the X86_X32 recvmmsg syscall vulnerability. It manipulates kernel memory to overwrite the release function pointer of the ptmx_fops structure, leading to root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 3.11.0-12-generic (Ubuntu 13.10)
No auth needed
Prerequisites: Access to /proc/kallsyms or System.map for kernel symbol resolution · X86_X32 architecture support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 31 stars
by OpenSISE · cpoc
https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/EoP/linux/CVE-2014-0038

This repository contains a functional local privilege escalation exploit for CVE-2014-0038, targeting the X86_X32 recvmmsg syscall vulnerability in the Linux kernel. The exploit manipulates the ptmx_fops structure to achieve root privileges by overwriting kernel memory.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (Ubuntu 13.10, kernel 3.11.0-12-generic)
No auth needed
Prerequisites: X86_X32 architecture · kernel symbols (ptmx_fops, tty_release, commit_creds, prepare_kernel_cred)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP
by kiruthikan99 · poc
https://github.com/kiruthikan99/IT19115276

This repository contains a writeup explaining the exploitation of CVE-2014-0038, a vulnerability in the Linux kernel. The README.md file describes the process with screenshots but does not include actual exploit code.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (versions affected by CVE-2014-0038)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Local user privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by h00die <[email protected]>, rebel · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/recvmmsg_priv_esc.rb

This Metasploit module exploits CVE-2014-0038, a Linux kernel privilege escalation vulnerability via a crafted recvmmsg system call with a manipulated timeout pointer. It supports specific Ubuntu 13.x kernels and may take up to 13 minutes to execute due to a decrementing pointer.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux Kernel (Ubuntu 13.04/13.10 with kernels 3.8.0-19-generic, 3.11.0-12-generic, or 3.11.0-15-generic)
No auth needed
Prerequisites: Access to a vulnerable Ubuntu system with a supported kernel version · Write permissions in a non-noexec directory (e.g., /tmp) · GCC for live compilation (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2096-1
Third Party Advisory x_refsource_misc
https://github.com/saelo/cve-2014-0038
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2095-1
Exploit x_refsource_misc
http://pastebin.com/raw.php?i=DH3Lbg54
Third Party Advisory x_refsource_misc
https://code.google.com/p/chromium/issues/detail?id=338594
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2094-1
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2014:038
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56669
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65255
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40503/
Third Party Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.2
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1060023
Third Party Advisory, VDB Entry vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00002.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31347
Third Party Advisory, VDB Entry vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00003.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31346
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/01/31/2

Scores

EPSS 0.5152
EPSS Percentile 98.0%

Details

CWE
CWE-20
Status published
Products (2)
linux/linux_kernel 3.4 - 3.4.79
opensuse/opensuse 12.3
Published Feb 06, 2014
Tracked Since Feb 18, 2026