CVE-2016-6187

HIGH

Linux kernel <4.6.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-6187. PoCs published by Vitaly Nikolenko, Milo-D, vnik5287.

AI-analyzed exploit summary This exploit leverages a heap off-by-one vulnerability (CVE-2016-6187) in the Linux kernel's message queue implementation to achieve arbitrary code execution by manipulating kernel memory structures. It uses userfaultfd to control page faults and trigger the vulnerability, ultimately forcing the kernel to execute instructions from a controlled address (0xdeadbeef).

Description

The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.

Exploits (3)

exploitdb WORKING POC
by Vitaly Nikolenko · cdoslinux
https://www.exploit-db.com/exploits/44301

This exploit leverages a heap off-by-one vulnerability (CVE-2016-6187) in the Linux kernel's message queue implementation to achieve arbitrary code execution by manipulating kernel memory structures. It uses userfaultfd to control page faults and trigger the vulnerability, ultimately forcing the kernel to execute instructions from a controlled address (0xdeadbeef).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2016-6187)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Ability to compile and execute C code · User namespace or root access to set up userfaultfd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by Milo-D · poc
https://github.com/Milo-D/CVE-2016-6187_LPE

This repository contains a functional local privilege escalation exploit for CVE-2016-6187, targeting Linux kernels < 4.6.5. The exploit leverages a heap-based nullbyte overflow in AppArmor's LSM hooks to achieve arbitrary memory corruption, bypass KASLR/SMEP/SMAP, and escalate privileges to root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel < 4.6.5
No auth needed
Prerequisites: Unprivileged access to /dev/rfkill · Kernel version < 4.6.5 · AppArmor enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by vnik5287 · poc
https://github.com/vnik5287/cve-2016-6187-poc

This repository contains a functional proof-of-concept exploit for CVE-2016-6187, a heap off-by-one vulnerability in the Linux kernel. The exploit leverages userfaultfd to manipulate kernel memory and achieve arbitrary code execution by redirecting execution to 0xdeadbeef.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2016-6187)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Ability to compile and execute C code
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/07/09/2
Third Party Advisory mailing-list x_refsource_mlist
http://marc.info/?l=linux-kernel&m=146793642811929&w=2
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1354383
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91696

Scores

CVSS v3 7.8
EPSS 0.0608
EPSS Percentile 91.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119 CWE-264
Status published
Products (1)
linux/linux_kernel 4.5 - 4.6.5
Published Aug 06, 2016
Tracked Since Feb 18, 2026