CVE-2015-1328

Exploitation Summary

CVE-2015-1328 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 13 public exploits from researchers including Metasploit, rebel, elit3pwner, including a Metasploit module exploits/linux/local/overlayfs_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-1328 and CVE-2015-8660, both related to overlayfs privilege escalation vulnerabilities in specific Ubuntu kernel versions. It checks for vulnerable kernels, compiles or drops an exploit binary, and executes it to gain elevated privileges.

Description

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.

Exploits (13)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/40688

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-1328 and CVE-2015-8660, both related to overlayfs privilege escalation vulnerabilities in specific Ubuntu kernel versions. It checks for vulnerable kernels, compiles or drops an exploit binary, and executes it to gain elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel (Ubuntu specific versions)

No auth needed

Prerequisites: gcc (for compilation) · writable directory (e.g., /tmp) · vulnerable kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by rebel · textlocallinux

https://www.exploit-db.com/exploits/37293

View Code ZIP pw:eip

This exploit leverages a flaw in overlayfs where file permissions are not correctly checked during copy-up operations, allowing an unprivileged user to escalate privileges by manipulating files in the upper filesystem directory. The provided example demonstrates creating a world-writable /etc/ld.so.preload file to achieve root access.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel with overlayfs and CONFIG_USER_NS=y (Ubuntu 12.04, 14.04, 14.10, 15.04)

No auth needed

Prerequisites: Unprivileged user access · Kernel with CONFIG_USER_NS=y · overlayfs enabled · Mount namespace access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1611 - Escape to Host

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by rebel · clocallinux

https://www.exploit-db.com/exploits/37292

View Code ZIP pw:eip

This exploit leverages CVE-2015-1328 to achieve local privilege escalation on Ubuntu systems by manipulating overlayfs mount permissions and injecting a malicious shared library via /etc/ld.so.preload. It spawns threads to create namespaces and mount overlayfs in a way that allows writing to restricted files.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)

No auth needed

Prerequisites: Local access to the target system · Kernel with vulnerable overlayfs implementation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by elit3pwner · local

https://github.com/elit3pwner/CVE-2015-1328-GoldenEye

View Code ZIP pw:eip

This is a working local privilege escalation exploit for CVE-2015-1328, targeting Ubuntu systems with kernels before 2015-06-15. It leverages overlayfs incorrect permission handling to gain root access by manipulating /etc/ld.so.preload.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (Ubuntu 12.04, 14.04, 14.10, 15.04 with kernels before 2015-06-15)

No auth needed

Prerequisites: Local access to the target system · Overlayfs enabled in the kernel · User namespace support

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by saqib-butt2 · poc

https://github.com/saqib-butt2/blackbox-pentesting-infsecos

View Code ZIP pw:eip

This repository documents a black-box penetration test against SecOS:1 (VulnHub), detailing the exploitation of CVE-2015-1328 (OverlayFS privilege escalation) among other vulnerabilities. It includes step-by-step commands, tools used, and post-exploitation activities, but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel 3.13.0-24 (OverlayFS)

Auth required

Prerequisites: access to a vulnerable Linux kernel (3.13.0-24) · local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by 0xf1d0 · local

https://github.com/0xf1d0/CVE-2015-1328

View Code ZIP pw:eip

This is a functional privilege escalation PoC for CVE-2015-1328, exploiting overlayfs and user namespaces to gain root access via LD_PRELOAD manipulation. The exploit creates isolated namespaces, mounts overlayfs, and injects a malicious shared library to hijack getuid() and spawn a root shell.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel with overlayfs and user namespaces (e.g., Ubuntu 14.04 LTS with kernel versions prior to 3.19.0-21.21)

No auth needed

Prerequisites: User namespaces enabled (kernel.unprivileged_userns_clone=1) · Overlayfs filesystem support · Unpatched kernel version · Local unprivileged user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism T1611 - Escape to Host

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by thieveshkar · poc

https://github.com/thieveshkar/RootQuest-CTF-Box-Multi-Stage-Exploitation-VM

View Code ZIP pw:eip

This repository is a writeup and documentation for a CTF VM (RootQuest) that includes a multi-stage exploitation path, with one stage involving the use of CVE-2015-1328 (OverlayFS) for privilege escalation. It does not contain exploit code but describes the process and provides links to external resources.

Classification

Writeup 100%

Attack Type

Other

Complexity

Complex

Reliability

Theoretical

Target: Linux Kernel (OverlayFS)

No auth needed

Prerequisites: Access to the CTF VM · Completion of prior stages in the CTF

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 1mgR00T · local

https://github.com/1mgR00T/CVE-2015-1328

View Code ZIP pw:eip

This exploit leverages CVE-2015-1328, a vulnerability in overlayfs on Ubuntu kernels before 2015-06-15, to achieve local privilege escalation by manipulating mount namespaces and creating a malicious shared library loaded via /etc/ld.so.preload.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)

No auth needed

Prerequisites: Unpatched Ubuntu system with vulnerable kernel · User namespace creation permissions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by YastrebX · local

https://github.com/YastrebX/CVE-2015-1328

View Code ZIP pw:eip

This exploit leverages CVE-2015-1328, a vulnerability in the Linux kernel's overlayfs implementation, to achieve local privilege escalation (LPE) by manipulating mount namespaces and preloading a malicious shared library. The PoC creates a fake /etc/ld.so.preload file and injects a library that spawns a root shell when /bin/su is executed.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (versions affected by CVE-2015-1328)

No auth needed

Prerequisites: User namespace creation permissions (unprivileged user namespaces enabled) · GCC and development tools to compile the shared library · Access to overlayfs and mount syscalls

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE

by BlackFrog-hub · poc

https://github.com/BlackFrog-hub/cve-2015-1328

View Code ZIP pw:eip

nomisec NO CODE

by notlikethis · poc

https://github.com/notlikethis/CVE-2015-1328

View Code ZIP pw:eip

nomisec NO CODE

by SR7-HACKING · poc

https://github.com/SR7-HACKING/LINUX-VULNERABILITY-CVE-2015-1328

View Code ZIP pw:eip

metasploit WORKING POC GOOD

by h00die <[email protected]>, rebel · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/overlayfs_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-1328 and CVE-2015-8660, both privilege escalation vulnerabilities in the Linux kernel's overlayfs implementation. It checks for vulnerable kernel versions, compiles or drops the exploit binary, and executes it to gain root privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (Ubuntu, Fedora, Red Hat) with overlayfs

No auth needed

Prerequisites: gcc (for live compilation) · writable directory (e.g., /tmp) · vulnerable kernel version

MITRE ATT&CK