CVE-2015-3636

EXPLOITED

Linux kernel <4.0.3 - Use After Free

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-3636 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including fi01, android-rooting-tools, Miracle963.

AI-analyzed exploit summary This PoC exploits CVE-2015-3636, a local privilege escalation vulnerability in the Linux kernel. It manipulates kernel structures to gain root privileges by modifying task credentials and capabilities.

Description

The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.

Exploits (10)

nomisec WORKING POC 135 stars
by fi01 · dos
https://github.com/fi01/CVE-2015-3636

This PoC exploits CVE-2015-3636, a local privilege escalation vulnerability in the Linux kernel. It manipulates kernel structures to gain root privileges by modifying task credentials and capabilities.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version affected by CVE-2015-3636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 45 stars
by android-rooting-tools · local
https://github.com/android-rooting-tools/libpingpong_exploit

This exploit targets CVE-2015-3636, a vulnerability in the Linux kernel's handling of ICMP sockets, leading to a local privilege escalation (LPE). The code creates a large number of ICMP sockets to trigger a use-after-free condition, allowing arbitrary kernel memory manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2015-3636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 38 stars
by Miracle963 · pythonpoc
https://github.com/Miracle963/bluetooth-cve/tree/master/littl_tools/android_root/cve-2015-3636

This repository contains a functional exploit for CVE-2015-3636, a Linux kernel vulnerability affecting Android devices. The exploit leverages socket manipulation and memory corruption to achieve local privilege escalation (LPE) by targeting kernel structures and bypassing address space layout randomization (ASLR).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (Android devices)
No auth needed
Prerequisites: Linux kernel with vulnerable socket implementation · Android device with root access restrictions
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 31 stars
by OpenSISE · cpoc
https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/EoP/android/CVE-2015-3636

The repository contains functional exploit code for CVE-2015-3636, a local privilege escalation vulnerability in the Linux kernel. The PoC manipulates task credentials to obtain root privileges by exploiting a race condition in the kernel's handling of socket structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2015-3636
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 18 stars
by a7vinx · dos
https://github.com/a7vinx/CVE-2015-3636

This repository contains a privilege escalation exploit for CVE-2015-3636, targeting a vulnerability in the Linux kernel. The exploit manipulates kernel memory to escalate privileges to root by modifying task credentials and capabilities.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by betalphafai · poc
https://github.com/betalphafai/cve-2015-3636_crash

This PoC demonstrates a crash in the Linux kernel (CVE-2015-3636) by manipulating socket connections with invalid parameters, leading to a denial-of-service condition. The code creates a raw ICMP socket and attempts to connect it with an invalid address family, triggering the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by askk · remote
https://github.com/askk/libping_unhash_exploit_POC

This PoC exploits CVE-2015-3636, a local privilege escalation vulnerability in the Linux kernel's ping socket implementation. It manipulates kernel memory via a race condition to achieve arbitrary read/write, leading to privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2015-3636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by debugfan · dos
https://github.com/debugfan/rattle_root

This exploit targets CVE-2015-3636, a local privilege escalation vulnerability in the Linux kernel. It manipulates socket structures and memory management to achieve root access by exploiting a race condition in the kernel's handling of ICMP sockets.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
Auth required
Prerequisites: Local access to the target system · Ability to compile and execute C code · Kernel version vulnerable to CVE-2015-3636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by ludongxu · poc
https://github.com/ludongxu/cve-2015-3636

The repository contains only a README.md file with the CVE identifier and no exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
dos
https://gitlab.com/smeraz24/libpingpong_exploit

This repository contains a functional exploit for CVE-2015-3636, a Linux kernel vulnerability involving ICMP socket handling and memory corruption. The exploit manipulates kernel memory structures to achieve privilege escalation by leveraging race conditions and memory management flaws.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2015-3636)
No auth needed
Prerequisites: Linux system with vulnerable kernel · ability to create ICMP sockets · sufficient memory and file descriptor limits
devstral-2 · analyzed May 19, 2026 Full analysis →

References (28)

Core 28
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3290
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2632-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158804.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/02/5
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033186
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157897.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1643.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1218074
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1583.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1534.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1564.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1221.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157788.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2633-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74450
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2631-1
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2634-1

Scores

EPSS 0.0247
EPSS Percentile 82.4%

Details

VulnCheck KEV 2018-01-16
Status published
Products (4)
canonical/ubuntu_linux 12.04
debian/debian_linux 7.0
linux/linux_kernel < 4.0.2
redhat/enterprise_linux 6.0
Published Aug 06, 2015
Tracked Since Feb 18, 2026