CVE-2016-4486

LOW

SUSE Linux Enterprise - Information Disclosure via Netlink Message

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4486. PoCs published by Jinbum Park.

AI-analyzed exploit summary This exploit leverages CVE-2016-4486 to leak kernel stack base addresses by spraying the kernel stack via eBPF programs and exploiting uninitialized memory leaks. It demonstrates a local privilege escalation (LPE) technique on Ubuntu 16.04 with kernel 4.4.0-21-generic.

Description

The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.

Exploits (1)

exploitdb WORKING POC

by Jinbum Park · clocallinux

https://www.exploit-db.com/exploits/46006

View Code ZIP pw:eip

This exploit leverages CVE-2016-4486 to leak kernel stack base addresses by spraying the kernel stack via eBPF programs and exploiting uninitialized memory leaks. It demonstrates a local privilege escalation (LPE) technique on Ubuntu 16.04 with kernel 4.4.0-21-generic.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel 4.4.0-21-generic (Ubuntu 16.04)

No auth needed

Prerequisites: Linux kernel 4.4.0-21-generic · eBPF support enabled · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (29)

Core 29

Core References

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3006-1

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3004-1

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3001-1

Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1333316

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00056.html

Vendor Advisory x_refsource_confirm

https://github.com/torvalds/linux/commit/5f8e44741f9f216e33736ea4ec65ca9ac03036e6

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/90051

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3005-1

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46006/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2997-1

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3000-1

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3607

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3002-1

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2996-1

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2989-1

Patch x_refsource_confirm

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f8e44741f9f216e33736ea4ec65ca9ac03036e6

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3007-1

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html

Vendor Advisory x_refsource_confirm

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3003-1

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2998-1

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/05/04/27

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html

Scores

CVSS v3 3.3

EPSS 0.0052

EPSS Percentile 67.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (15)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 15.10

canonical/ubuntu_linux 16.04

linux/linux_kernel < 4.5.4

novell/suse_linux_enterprise_debuginfo 11.0 sp4

novell/suse_linux_enterprise_desktop 12.0 (2 CPE variants)

novell/suse_linux_enterprise_live_patching 12.0

novell/suse_linux_enterprise_module_for_public_cloud 12.0

novell/suse_linux_enterprise_real_time_extension 12.0 sp1

... and 5 more

Published May 23, 2016

Tracked Since Feb 18, 2026