CVE-2014-4699

Linux kernel <3.15.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-4699. PoCs published by Vitaly Nikolenko, vnik5287.

AI-analyzed exploit summary This exploit leverages a ptrace/sysret vulnerability (CVE-2014-4699) to manipulate kernel execution flow, targeting a specific Linux kernel version (3.2.0-23-generic). It attempts to overwrite the IDT and redirect execution to a user-controlled payload for privilege escalation.

Description

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

Exploits (2)

exploitdb WORKING POC
by Vitaly Nikolenko · clocallinux_x86-64
https://www.exploit-db.com/exploits/34134

This exploit leverages a ptrace/sysret vulnerability (CVE-2014-4699) to manipulate kernel execution flow, targeting a specific Linux kernel version (3.2.0-23-generic). It attempts to overwrite the IDT and redirect execution to a user-controlled payload for privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 3.2.0-23-generic (Ubuntu 12.04.0 LTS)
No auth needed
Prerequisites: Linux kernel 3.2.0-23-generic · ptrace permissions · specific memory layout
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by vnik5287 · poc
https://github.com/vnik5287/cve-2014-4699-ptrace

This PoC exploits CVE-2014-4699, a Linux kernel vulnerability involving ptrace and sysret instructions to achieve privilege escalation. It manipulates registers and memory to trigger a #GP fault and overwrite the #PF handler, redirecting execution to a user-controlled payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 3.2.0-23-generic (Ubuntu 12.04.0 LTS)
No auth needed
Prerequisites: Linux kernel 3.2.0-23-generic · ptrace permissions · ability to execute compiled binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (33)

Core 33
Core References
Third Party Advisory x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-3047.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2269-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2274-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2268-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2267-1
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/108754
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60220
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/07/04/4
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2271-1
Release Notes, Vendor Advisory x_refsource_confirm
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59654
Release Notes, Vendor Advisory x_refsource_confirm
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97
Release Notes, Vendor Advisory x_refsource_confirm
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2266-1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/07/08/5
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/07/08/16
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59633
Release Notes, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4
Third Party Advisory x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-0924.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/07/05/4
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60393
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60380
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2270-1
Third Party Advisory x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-3048.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34134
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59639
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2273-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2272-1
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1115927
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2972

Scores

EPSS 0.0114
EPSS Percentile 78.9%

Details

CWE
CWE-362
Status published
Products (6)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 13.10
canonical/ubuntu_linux 14.04
debian/debian_linux 7.0
linux/linux_kernel 2.6.17 - 3.2.61
Published Jul 09, 2014
Tracked Since Feb 18, 2026