CVE-2016-1575

HIGH

Linux kernel <4.5.2 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1575. PoCs published by halfdog.

AI-analyzed exploit summary This exploit leverages a Linux kernel vulnerability in overlayfs within user namespaces to escalate privileges by manipulating SGID directories. It combines standard tools with custom C programs to create a setgid binary, allowing privilege escalation to groups like staff, mail, or libuuid.

Description

The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.

Exploits (1)

exploitdb WORKING POC

by halfdog · textlocallinux

https://www.exploit-db.com/exploits/41762

View Code ZIP pw:eip

This exploit leverages a Linux kernel vulnerability in overlayfs within user namespaces to escalate privileges by manipulating SGID directories. It combines standard tools with custom C programs to create a setgid binary, allowing privilege escalation to groups like staff, mail, or libuuid.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (versions with vulnerable overlayfs implementation)

No auth needed

Prerequisites: User namespace access · Presence of SGID directories · Overlayfs support in kernel

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1611 - Escape to Host

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Patch, Vendor Advisory x_refsource_misc

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360

Third Party Advisory x_refsource_confirm

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1575.html

Exploit, Third Party Advisory x_refsource_misc

http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/02/24/7

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/10/18/1

Third Party Advisory x_refsource_confirm

https://launchpad.net/bugs/1534961

Scores

CVSS v3 7.8

EPSS 0.0092

EPSS Percentile 55.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (8)

canonical/ubuntu_core 15.04

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 15.10

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 16.10

canonical/ubuntu_touch 15.04

linux/linux_kernel < 4.5.2

Published May 02, 2016

Tracked Since Feb 18, 2026