CVE-2017-1000371

HIGH

Linux Kernel 4.1-4.1.43 - Stack Guard Page Bypass via RLIMIT_STACK Allocation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-1000371. PoCs published by Qualys Corporation, Trinadh465.

AI-analyzed exploit summary This exploit checks for the presence of CVE-2017-1000371 by analyzing memory mappings to detect if the stack or library regions are too close to the binary's memory region. It uses forked processes to test the vulnerability under different conditions.

Description

The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocallinux_x86
https://www.exploit-db.com/exploits/42273

This exploit checks for the presence of CVE-2017-1000371 by analyzing memory mappings to detect if the stack or library regions are too close to the binary's memory region. It uses forked processes to test the vulnerability under different conditions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2017-1000371)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocallinux_x86
https://www.exploit-db.com/exploits/42276

This exploit targets CVE-2017-1000371, a vulnerability in the Linux dynamic loader (ld.so) affecting multiple distributions. It manipulates ELF binaries and auxiliary vectors to achieve arbitrary code execution by exploiting a buffer overflow in the dynamic linker.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux dynamic loader (ld.so) on various distributions (Debian, Ubuntu, Fedora)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Trinadh465 · poc
https://github.com/Trinadh465/linux-4.1.15_CVE-2017-1000371

The repository contains only documentation files and build scripts from the Linux kernel, with no exploit code or technical analysis related to CVE-2017-1000371. It appears to be a partial or mislabeled kernel source dump.

Classification
Stub 90%
Attack Type
Other
Complexity
N/a
Reliability
Theoretical
Target: Linux kernel 4.1.15
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99131
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3981
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42276/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42273/
Third Party Advisory, VDB Entry x_refsource_confirm
https://access.redhat.com/security/cve/CVE-2017-1000371

Scores

CVSS v3 7.8
EPSS 0.0251
EPSS Percentile 85.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
linux/linux_kernel 4.1 - 4.1.43
Published Jun 19, 2017
Tracked Since Feb 18, 2026