CVE-2017-1000112

HIGH

Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2017-1000112. PoCs published by Metasploit, Andrey Konovalov, bcoles, including Metasploit module exploits/linux/local/ufo_privilege_escalation.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-1000112, a Linux kernel vulnerability in UDP Fragmentation Offload (UFO) to achieve local privilege escalation. It targets specific Ubuntu and Linux Mint kernels, requires unprivileged user namespaces and disabled SMAP, and includes bypasses for SMEP and KASLR.

Description

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

Exploits (9)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/45147

This Metasploit module exploits CVE-2017-1000112, a Linux kernel vulnerability in UDP Fragmentation Offload (UFO) to achieve local privilege escalation. It targets specific Ubuntu and Linux Mint kernels, requires unprivileged user namespaces and disabled SMAP, and includes bypasses for SMEP and KASLR.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 4.4.0-21 to 4.4.0-89 and 4.8.0-34 to 4.8.0-58 (Ubuntu Trusty/Xenial and derivatives)
No auth needed
Prerequisites: Unprivileged user namespaces enabled · SMAP disabled · Vulnerable kernel version · GCC for live compilation (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andrey Konovalov · clocallinux
https://www.exploit-db.com/exploits/43418

This is a local privilege escalation exploit for CVE-2017-1000112, targeting Ubuntu kernels 4.4.0-* and 4.8.0-*. It bypasses KASLR and SMEP to achieve root access by leveraging a race condition in the netfilter subsystem.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (Ubuntu trusty 4.4.0-* and xenial 4.8.0-*)
Auth required
Prerequisites: Local user access · Compilation environment · Vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bcoles · clocallinux
https://www.exploit-db.com/exploits/47169

This is a local privilege escalation exploit for CVE-2017-1000112, targeting Ubuntu and Linux Mint kernels (4.4.0 and 4.8.0). It bypasses KASLR and SMEP to achieve root access by leveraging a race condition in the n_hdlc Linux kernel driver.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (Ubuntu trusty/xenial 4.4.0/4.8.0, Linux Mint rosa/sarah 4.4.0/4.8.0)
Auth required
Prerequisites: Local user access · Compilation environment (gcc) · Vulnerable kernel version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/kernel/EXP-CVE-2017-1000112

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2017-1000112, targeting a vulnerability in the UFO Linux kernel implementation. The exploit includes KASLR and SMEP bypasses and has been tested on specific Ubuntu kernel versions.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (UFO implementation) on Ubuntu trusty (4.4.0-*) and xenial (4.8.0-*)
No auth needed
Prerequisites: Local access to the target system · Specific kernel versions (Ubuntu trusty or xenial)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Spydomain · poc
https://github.com/Spydomain/CVE-2017-1000112-PoC

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2017-1000112, targeting a buffer overflow in the Linux kernel's UDP Fragmentation Offload (UFO) feature. The exploit includes KASLR and SMEP bypass techniques, and is tailored for specific Ubuntu kernel versions (e.g., 4.8.0-22-generic).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (Ubuntu 16.10, 4.8.0-22-generic and others)
No auth needed
Prerequisites: Ubuntu 16.10 with vulnerable kernel version (e.g., 4.8.0-22-generic) · Local access to the target system
devstral-2 · analyzed Mar 06, 2026 Full analysis →
nomisec WORKING POC 1 stars
by IT19083124 · poc
https://github.com/IT19083124/SNP-Assignment

This repository contains a functional exploit for CVE-2017-1000112, a local privilege escalation vulnerability in the Linux kernel. The exploit leverages a race condition in the n_hdlc driver to achieve arbitrary code execution in kernel mode, bypassing KASLR and SMEP protections.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions 4.4.0-21 to 4.8.0-58 (Ubuntu Trusty/Xenial)
No auth needed
Prerequisites: Local access to the target system · Kernel version matching one of the supported versions in the exploit
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ol0273st-s · poc
https://github.com/ol0273st-s/CVE-2017-1000112-Adpated

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2017-1000112, targeting Ubuntu kernels 4.4.0-* and 4.8.0-*. The exploit includes KASLR and SMEP bypasses, demonstrating a reliable path to root access via crafted payload execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (Ubuntu trusty/xenial)
No auth needed
Prerequisites: Local user access · Vulnerable kernel version (4.4.0-* or 4.8.0-*)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by hikame · poc
https://github.com/hikame/docker_escape_pwn

This repository contains a functional exploit for CVE-2017-1000112, demonstrating Docker container escape via kernel vulnerabilities. It includes components for privilege escalation, capability manipulation, and mitigation bypasses (KASLR, SMEP).

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Docker with Linux kernel 4.13.0-16.19 (Ubuntu 16.04.3)
No auth needed
Prerequisites: Docker container with vulnerable kernel · Ability to compile kernel modules
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by Andrey Konovalov, h00die, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/ufo_privilege_escalation.rb

This Metasploit module exploits CVE-2017-1000112, a Linux kernel vulnerability in UDP Fragmentation Offload (UFO) to achieve local privilege escalation. It targets specific Ubuntu and Linux Mint kernels with unprivileged user namespaces enabled and SMAP disabled.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 4.4.0-21 to 4.4.0-89 and 4.8.0-34 to 4.8.0-58 (Ubuntu Trusty/Xenial and derivatives)
No auth needed
Prerequisites: Unprivileged user namespaces enabled · SMAP disabled · Specific vulnerable kernel versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2017/q3/277
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3200
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100262
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2918
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2931
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3981
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039162
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45147/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2930
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1932
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1931
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4159

Scores

CVSS v3 7.0
EPSS 0.8286
EPSS Percentile 99.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-362
Status published
Products (1)
linux/linux_kernel 2.6.15 - 3.10.108
Published Oct 05, 2017
Tracked Since Feb 18, 2026