CVE-2016-4557

HIGH

Linux BPF doubleput UAF Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-4557. PoCs published by Metasploit, Google Security Research, [email protected], h00die <[email protected]>, including Metasploit module exploits/linux/local/bpf_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-4557, a Linux BPF local privilege escalation vulnerability. It leverages BPF syscalls to manipulate file descriptors and achieve root privileges on vulnerable systems.

Description

The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/40759

This Metasploit module exploits CVE-2016-4557, a Linux BPF local privilege escalation vulnerability. It leverages BPF syscalls to manipulate file descriptors and achieve root privileges on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel >=4.4 with CONFIG_BPF_SYSCALL enabled
No auth needed
Prerequisites: CONFIG_BPF_SYSCALL enabled · kernel.unprivileged_bpf_disabled not set to 1 · fuse installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · textlocallinux
https://www.exploit-db.com/exploits/39772

This exploit leverages a use-after-free vulnerability in the Linux kernel's eBPF subsystem (CVE-2016-4557) to achieve local privilege escalation. The flaw arises from a double fdput() call when handling invalid eBPF map file descriptors, allowing an attacker to manipulate file references and gain root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel >=4.4 with CONFIG_BPF_SYSCALL enabled
No auth needed
Prerequisites: Linux kernel >=4.4 with CONFIG_BPF_SYSCALL enabled · kernel.unprivileged_bpf_disabled sysctl not set to 1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by [email protected], h00die <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/bpf_priv_esc.rb

This Metasploit module exploits CVE-2016-4557, a use-after-free vulnerability in the Linux kernel's eBPF subsystem, to achieve local privilege escalation. It targets Linux kernel versions 4.4 to 4.5.5 by manipulating file descriptors and requires specific kernel configurations.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 4.4 < 4.5.5 with CONFIG_BPF_SYSCALL enabled
No auth needed
Prerequisites: CONFIG_BPF_SYSCALL enabled · kernel.unprivileged_bpf_disabled not set to 1 · fuse package installed · gcc and libfuse-dev for compilation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory x_refsource_confirm
https://bugs.debian.org/823603
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1334307
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/05/06/4
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40759/

Scores

CVSS v3 7.8
EPSS 0.1020
EPSS Percentile 95.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
linux/linux_kernel 4.4 - 4.4.11
Published May 23, 2016
Tracked Since Feb 18, 2026