CVE-2014-0196

MEDIUM KEV

Linux Kernel < 3.14.3 - Denial of Service and Privilege Escalation via Race Condition in n_tty_write

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-0196 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 12, 2023. EIP tracks 3 public exploits from researchers including Matthew Daley, tempbottle, SunRain.

AI-analyzed exploit summary This exploit leverages a race condition in the Linux kernel's PTY handling (CVE-2014-0196) to achieve local privilege escalation by overflowing into a tty_struct and manipulating kernel credentials.

Description

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

Exploits (3)

exploitdb WORKING POC
by Matthew Daley · clocallinux_x86-64
https://www.exploit-db.com/exploits/33516

This exploit leverages a race condition in the Linux kernel's PTY handling (CVE-2014-0196) to achieve local privilege escalation by overflowing into a tty_struct and manipulating kernel credentials.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel <= v3.15-rc4
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version · Ability to compile and execute C code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by tempbottle · local
https://github.com/tempbottle/CVE-2014-0196

This is a functional privilege escalation exploit for CVE-2014-0196, targeting a race condition in the Linux kernel's n_tty_write function. It manipulates PTY operations to corrupt kernel memory and achieve root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel <= v3.15-rc4
No auth needed
Prerequisites: Local user access · Kernel version <= 3.15-rc4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by SunRain · dos
https://github.com/SunRain/CVE-2014-0196

This is a functional privilege escalation exploit for CVE-2014-0196, targeting a race condition in the Linux kernel's raw mode PTY local echo functionality. It leverages a heap overflow to overwrite a tty_struct and gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel <= v3.15-rc4
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version · Ability to compile and execute the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (29)

Core 29
Core References
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/106646
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2200-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2203-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00012.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/05/05/6
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59262
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2204-1
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59218
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2202-1
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/33516
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2928
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2199-1
Third Party Advisory x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-0771.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1094232
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2197-1
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0512.html
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59599
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2926
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00007.html
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://pastebin.com/raw.php?i=yTSFUBgZ
Issue Tracking, Permissions Required, Third Party Advisory x_refsource_confirm
http://bugzilla.novell.com/show_bug.cgi?id=875690
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2198-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2201-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2196-1

Scores

CVSS v3 5.5
EPSS 0.2248
EPSS Percentile 97.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2023-05-12
VulnCheck KEV 2023-05-12
InTheWild.io 2023-05-12
ENISA EUVD EUVD-2014-0247
CWE
CWE-362
Status published
Products (38)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
canonical/ubuntu_linux 13.10
canonical/ubuntu_linux 14.04
debian/debian_linux 6.0
debian/debian_linux 7.0
f5/big-ip_access_policy_manager 11.1.0 - 11.5.1
f5/big-ip_advanced_firewall_manager 11.3.0 - 11.5.1
f5/big-ip_analytics 11.1.0 - 11.5.1
... and 28 more
Published May 07, 2014
KEV Added May 12, 2023
Tracked Since Feb 18, 2026