CVE-2017-11176

Exploitation Summary

EIP tracks 7 public exploits for CVE-2017-11176. PoCs published by Lexfo, lexfo, c3r34lk1ll3r.

AI-analyzed exploit summary This exploit targets CVE-2017-11176, a Linux kernel vulnerability in the mq_notify mechanism, leading to a double sock_put() and potential local privilege escalation. It uses a race condition to manipulate kernel structures and achieve arbitrary code execution.

Description

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Exploits (7)

exploitdb WORKING POC

by Lexfo · clocallinux

https://www.exploit-db.com/exploits/45553

View Code ZIP pw:eip

This exploit targets CVE-2017-11176, a Linux kernel vulnerability in the mq_notify mechanism, leading to a double sock_put() and potential local privilege escalation. It uses a race condition to manipulate kernel structures and achieve arbitrary code execution.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (specific versions affected by CVE-2017-11176)

No auth needed

Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2017-11176

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 26 stars

by lexfo · poc

https://github.com/lexfo/cve-2017-11176

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-11176, a Linux kernel vulnerability involving a double sock_put() in mq_notify. The exploit demonstrates privilege escalation by manipulating kernel structures and includes detailed technical analysis in referenced blog posts.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (specific versions affected by CVE-2017-11176)

No auth needed

Prerequisites: Kernel version vulnerable to CVE-2017-11176 · Compilation environment with specific kernel headers

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by c3r34lk1ll3r · poc

https://github.com/c3r34lk1ll3r/CVE-2017-11176

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2017-11176, a use-after-free vulnerability in the Linux kernel's mq_notify function. The exploit leverages race conditions and heap manipulation to achieve arbitrary code execution, with detailed implementation in C.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel through 4.11.9

No auth needed

Prerequisites: SMAP disabled · KASLR disabled · SLAB allocator · specific kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Yanoro · poc

https://github.com/Yanoro/CVE-2017-11176

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-11176, a Linux kernel vulnerability in the netlink subsystem. The exploit manipulates socket buffers and message queues to trigger a use-after-free condition, potentially leading to privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (versions affected by CVE-2017-11176)

No auth needed

Prerequisites: Linux system with vulnerable kernel · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Sama-Ayman-Mokhtar · poc

https://github.com/Sama-Ayman-Mokhtar/CVE-2017-11176

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-11176, a Linux kernel vulnerability in the netlink subsystem. The exploit leverages a race condition to achieve local privilege escalation by manipulating kernel memory structures.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (versions affected by CVE-2017-11176)

No auth needed

Prerequisites: Local access to the target system · Kernel version vulnerable to CVE-2017-11176

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by leonardo1101 · poc

https://github.com/leonardo1101/cve-2017-11176

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-11176, a use-after-free vulnerability in the Linux kernel's mq_notify function. The exploit manipulates Netlink sockets to trigger the vulnerability, demonstrating a denial-of-service (DoS) condition.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Complex

Reliability

Racy

Target: Linux kernel through 4.11.9

No auth needed

Prerequisites: Linux kernel version <= 4.11.9 · Ability to create Netlink sockets

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by DoubleMice · poc

https://github.com/DoubleMice/cve-2017-11176

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2017-11176, a local privilege escalation vulnerability in the Linux kernel. The exploit triggers a use-after-free (UAF) condition in the netlink subsystem by flooding a socket and manipulating message queues.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Linux kernel (tested on Ubuntu 4.4.0-62)

No auth needed

Prerequisites: Local access to the target system · Linux kernel version vulnerable to CVE-2017-11176

MITRE ATT&CK