CVE-2015-8660

MEDIUM

Overlayfs Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2015-8660. PoCs published by Metasploit, rebel, halfdog, including Metasploit module exploits/linux/local/overlayfs_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-1328 and CVE-2015-8660, both related to overlayfs privilege escalation vulnerabilities in specific Ubuntu kernel versions. It checks for vulnerable kernels, compiles or drops an exploit binary, and executes it to gain elevated privileges.

Description

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/40688

This Metasploit module exploits CVE-2015-1328 and CVE-2015-8660, both related to overlayfs privilege escalation vulnerabilities in specific Ubuntu kernel versions. It checks for vulnerable kernels, compiles or drops an exploit binary, and executes it to gain elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (Ubuntu specific versions)
No auth needed
Prerequisites: gcc (for compilation) · writable directory (e.g., /tmp) · vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rebel · clocallinux
https://www.exploit-db.com/exploits/39166

This exploit leverages a vulnerability in overlayfs (CVE-2015-8660) to gain root privileges by manipulating mount namespaces and file permissions. It creates a suid bash binary in a controlled directory structure, then executes it to escalate privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (overlayfs) before 2015-12-26
No auth needed
Prerequisites: Unpatched Linux kernel with overlayfs support · User namespace enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by halfdog · clocallinux
https://www.exploit-db.com/exploits/39230

This exploit leverages a user namespace and overlayfs mount to escalate privileges by modifying the setuid binary `/bin/su`. It demonstrates a local privilege escalation (LPE) vulnerability in the Linux kernel's handling of overlayfs within user namespaces.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2015-8660)
No auth needed
Prerequisites: Unprivileged user access · User namespaces enabled · Overlayfs support in kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by whu-enjoy · poc
https://github.com/whu-enjoy/CVE-2015-8660

This repository contains functional exploit code for CVE-2015-8660, a vulnerability in the Linux kernel's overlayfs module. The code includes vulnerable and patched versions of the affected functions, demonstrating the exploit mechanism.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (overlayfs module)
No auth needed
Prerequisites: Access to a vulnerable Linux system with overlayfs enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by carradolly · poc
https://github.com/carradolly/CVE-2015-8660

This is a functional local privilege escalation exploit for CVE-2015-8660, targeting a vulnerability in the Linux kernel's overlayfs implementation. It leverages namespace manipulation and mount operations to gain root privileges by setting the SUID bit on /bin/bash.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions before 2015-12-26)
No auth needed
Prerequisites: Unprivileged user access · Kernel version before 2015-12-26 · Overlayfs support in kernel
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by nhamle2 · poc
https://github.com/nhamle2/CVE-2015-8660

This repository contains research on CVE-2015-8660, an overlayFS vulnerability in the Linux kernel caused by the ovl_setattr function. It includes a research paper and references to exploit code but does not contain functional exploit code itself.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel versions through 4.3.3
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version (through 4.3.3) · Ability to execute crafted applications
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by h00die <[email protected]>, rebel · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/overlayfs_priv_esc.rb

This Metasploit module exploits CVE-2015-8660 and CVE-2015-1328, both related to privilege escalation via overlayfs in Linux kernels. It checks for vulnerable kernel versions and compiles/executes exploit code to gain root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (Ubuntu, Fedora, Red Hat) with vulnerable overlayfs implementations
No auth needed
Prerequisites: gcc (for compilation) · writable directory (e.g., /tmp) · vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (23)

Core 23
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39166/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00039.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00043.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034548
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1541.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40688/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/12/23/5
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1539.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2857-2
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1532.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1291329
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39230/
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2858-2
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2858-3
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2858-1
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2857-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/79671
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00040.html

Scores

CVSS v3 6.7
EPSS 0.5835
EPSS Percentile 98.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (1)
linux/linux_kernel 3.18 - 3.18.31
Published Dec 28, 2015
Tracked Since Feb 18, 2026