CVE-2017-1000405

HIGH

Linux Kernel <4.14 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-1000405. PoCs published by anonymous, Bindecy, bindecy.

AI-analyzed exploit summary This exploit leverages a race condition in the Linux kernel (CVE-2017-1000405) to achieve local privilege escalation by writing to read-only memory mappings via /proc/self/mem. It uses multithreading to force a write to a memory page that should be protected, demonstrating the vulnerability.

Description

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

Exploits (3)

exploitdb WORKING POC
by anonymous · cdoslinux
https://www.exploit-db.com/exploits/44305

This exploit leverages a race condition in the Linux kernel (CVE-2017-1000405) to achieve local privilege escalation by writing to read-only memory mappings via /proc/self/mem. It uses multithreading to force a write to a memory page that should be protected, demonstrating the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux Kernel (versions before 4.14.8, 4.9.76, 4.4.111)
No auth needed
Prerequisites: Local access to the target system · Ability to compile and execute C code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Bindecy · cdoslinux
https://www.exploit-db.com/exploits/43199

This exploit leverages a race condition in the Linux kernel's handling of transparent huge pages (CVE-2017-1000405) to overwrite the zero page, potentially leading to privilege escalation. It uses multithreading to force a dirty PMD state and achieve arbitrary write access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2017-1000405)
No auth needed
Prerequisites: Transparent huge pages enabled ('always' mode) · Linux kernel vulnerable to CVE-2017-1000405
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 201 stars
by bindecy · poc
https://github.com/bindecy/HugeDirtyCowPOC

This repository contains a functional proof-of-concept exploit for CVE-2017-1000405, leveraging a race condition in the Linux kernel's handling of transparent huge pages to achieve local privilege escalation. The exploit uses multithreading to overwrite the system's huge zero page, demonstrating the vulnerability.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2017-1000405)
No auth needed
Prerequisites: Transparent huge pages enabled ('always' mode) · Local access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102032
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0180
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
Third Party Advisory x_refsource_confirm
https://source.android.com/security/bulletin/pixel/2018-02-01
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040020
Exploit, Issue Tracking, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43199/

Scores

CVSS v3 7.0
EPSS 0.0727
EPSS Percentile 91.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-362
Status published
Products (1)
linux/linux_kernel 3.2.87 - 3.3
Published Nov 30, 2017
Tracked Since Feb 18, 2026