CVE-2014-9322

HIGH

Linux kernel <3.17.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-9322. PoCs published by Ren Kimura, Emeric Nasi, RKX1209.

AI-analyzed exploit summary This is a proof-of-concept exploit for CVE-2014-9322 (BadIRET), a Linux kernel privilege escalation vulnerability. It leverages raw syscalls to create threads and trigger the vulnerability without relying on external libraries.

Description

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

Exploits (3)

exploitdb WORKING POC
by Ren Kimura · locallinux
https://www.exploit-db.com/exploits/44205

This is a proof-of-concept exploit for CVE-2014-9322 (BadIRET), a Linux kernel privilege escalation vulnerability. It leverages raw syscalls to create threads and trigger the vulnerability without relying on external libraries.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2014-9322)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel · Ability to compile and execute the PoC
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Emeric Nasi · cdoslinux_x86-64
https://www.exploit-db.com/exploits/36266

This PoC exploits CVE-2014-9322, a Linux kernel vulnerability in arch/x86/kernel/entry_64.S, by manipulating the Stack Segment (SS) register to trigger a kernel panic. It uses a secondary thread to invalidate the stack segment while the main thread attempts to use it, leading to a DoS condition.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel before 3.17.5
No auth needed
Prerequisites: x86_64 architecture · Linux kernel version between 3.0.0 and 3.17.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by RKX1209 · poc
https://github.com/RKX1209/CVE-2014-9322

This is a proof-of-concept exploit for CVE-2014-9322 (BadIRET), a Linux kernel privilege escalation vulnerability. It manipulates the stack segment via syscalls to trigger the vulnerability, allowing local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2014-9322)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2014-9322
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (22)

Core 22
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2491-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142722450701342&w=2
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html
Mailing List, Patch, Vendor Advisory x_refsource_confirm
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.5
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1172806
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0009.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142722544401658&w=2
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-16-170
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-2008.html
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62336
Patch, Third Party Advisory x_refsource_confirm
http://source.android.com/security/bulletin/2016-04-02.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1998.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/36266
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-2028.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-2031.html
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/115919
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/12/15/6
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html

Scores

CVSS v3 7.8
EPSS 0.0541
EPSS Percentile 90.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (7)
canonical/ubuntu_linux 10.04
google/android 6.0
google/android 6.0.1
linux/linux_kernel < 3.2.65
opensuse/evergreen 11.4
redhat/enterprise_linux_eus 5.6
suse/suse_linux_enterprise_server 10 sp4
Published Dec 17, 2014
Tracked Since Feb 18, 2026