CVE-2016-9793

HIGH

Linux Kernel 3.5-3.12.69 - Memory Corruption via Negative sk_sndbuf/sk_rcvbuf Values

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-9793. PoCs published by Andrey Konovalov, codecat007.

AI-analyzed exploit summary This exploit leverages a race condition in the Linux kernel (CVE-2016-9793) to achieve local privilege escalation (LPE) by manipulating socket buffers and overwriting kernel memory to execute arbitrary code with root privileges.

Description

The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.

Exploits (2)

exploitdb WORKING POC
by Andrey Konovalov · clocallinux
https://www.exploit-db.com/exploits/41995

This exploit leverages a race condition in the Linux kernel (CVE-2016-9793) to achieve local privilege escalation (LPE) by manipulating socket buffers and overwriting kernel memory to execute arbitrary code with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel versions 3.11 to 4.8
No auth needed
Prerequisites: CAP_NET_ADMIN capability · Compilation with pthread support · Execution in a vulnerable kernel environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/kernel/EXP-CVE-2016-9793

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2016-9793, which abuses the SO_SNDBUFFORCE and SO_RCVBUFFORCE socket options to achieve root privileges. The exploit manipulates kernel memory structures to overwrite critical data and escalate privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 3.11 to 4.8
Auth required
Prerequisites: CAP_NET_ADMIN capability · No KASLR, SMEP, or SMAP bypass included
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037968
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0932
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94655
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/12/03/1
Release Notes, Vendor Advisory x_refsource_confirm
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.14
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0933
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0931
Third Party Advisory x_refsource_confirm
https://source.android.com/security/bulletin/2017-03-01.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1402013

Scores

CVSS v3 7.8
EPSS 0.0297
EPSS Percentile 86.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (1)
linux/linux_kernel 3.5 - 3.12.69
Published Dec 28, 2016
Tracked Since Feb 18, 2026