CVE-2017-1000370

HIGH

Linux Kernel 4.1-4.1.43 - Stack Clash via PIE Binary Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-1000370. PoCs published by Qualys Corporation.

AI-analyzed exploit summary This exploit checks for the presence of CVE-2017-1000371 by analyzing memory mappings to detect if the stack or library regions are too close to the binary's memory region. It uses forked processes to test the vulnerability under different conditions.

Description

The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocallinux_x86
https://www.exploit-db.com/exploits/42273

This exploit checks for the presence of CVE-2017-1000371 by analyzing memory mappings to detect if the stack or library regions are too close to the binary's memory region. It uses forked processes to test the vulnerability under different conditions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2017-1000371)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocallinux_x86
https://www.exploit-db.com/exploits/42274

This exploit leverages CVE-2017-1000370, a vulnerability in the Linux dynamic loader (ld.so) related to the handling of the HWCAP mechanism. It injects a malicious shared library to achieve privilege escalation by manipulating the environment variables and library search paths.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux dynamic loader (ld.so) on various distributions (Debian, Fedora, CentOS)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to compile and execute the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99149
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3981
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42273/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42274/
Third Party Advisory, VDB Entry x_refsource_confirm
https://access.redhat.com/security/cve/CVE-2017-1000370

Scores

CVSS v3 7.8
EPSS 0.0171
EPSS Percentile 82.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
linux/linux_kernel 4.1 - 4.1.43
Published Jun 19, 2017
Tracked Since Feb 18, 2026