CVE-2017-16995

HIGH

Linux BPF Sign Extension Local Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 21 public exploits for CVE-2017-16995. PoCs published by Metasploit, rlarabee, Bruce Leidl, including Metasploit module exploits/linux/local/bpf_sign_extension_priv_esc.

AI-analyzed exploit summary This is a Metasploit module for CVE-2017-16995, a Linux kernel BPF sign extension vulnerability allowing local privilege escalation. It compiles and executes an exploit to gain root privileges on vulnerable systems.

Description

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

Exploits (21)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/45058

This is a Metasploit module for CVE-2017-16995, a Linux kernel BPF sign extension vulnerability allowing local privilege escalation. It compiles and executes an exploit to gain root privileges on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 4.0 to 4.14.11 with BPF support
Auth required
Prerequisites: Local access to a vulnerable Linux system · BPF support enabled · Unprivileged BPF loading not disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rlarabee · clocallinux
https://www.exploit-db.com/exploits/45010

This is a working privilege escalation exploit for CVE-2017-16995, leveraging eBPF verifier bypass to gain root access on vulnerable Linux kernels. It manipulates kernel memory structures to escalate privileges from an unprivileged user.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (4.4.0-31 to 4.13.0-21, and others)
No auth needed
Prerequisites: Unprivileged user access · Vulnerable kernel version · eBPF support enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Bruce Leidl · clocallinux
https://www.exploit-db.com/exploits/44298

This exploit leverages a BPF (Berkeley Packet Filter) vulnerability (CVE-2017-16995) in the Linux kernel to achieve local privilege escalation by manipulating kernel memory to overwrite the UID of the current process, granting root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 4.4.0-116-generic (Ubuntu 16.04.4)
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version 4.4.0-116-generic or similar with BPF vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-16995.md

This repository provides a detailed analysis and references for CVE-2017-16995, an eBPF-based local privilege escalation vulnerability in Linux kernels before 4.4.0-116. It includes links to technical writeups, PoC code, and exploit details but does not contain functional exploit code itself.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)
No auth needed
Prerequisites: Local access to the target system · eBPF support in the kernel
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-16995.md

This repository provides a technical analysis and references for CVE-2017-16995, an eBPF-based local privilege escalation vulnerability in the Linux kernel. It includes links to external writeups and exploit code but does not contain functional exploit code itself.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)
Auth required
Prerequisites: Local access to the target system · Kernel version < 4.4.0-116
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 13 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2017-16995

This is a functional local privilege escalation exploit for CVE-2017-16995, targeting a vulnerability in the eBPF verifier in Linux kernels 4.4 to 4.14 on Ubuntu/Debian. It leverages a maliciously crafted BPF program to achieve arbitrary memory read/write, ultimately modifying the UID to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 4.4-4.14 (Ubuntu/Debian)
Auth required
Prerequisites: Local user access · Unpatched Ubuntu/Debian system with vulnerable kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ph4ntonn · poc
https://github.com/ph4ntonn/CVE-2017-16995

This is a working exploit for CVE-2017-16995, a local privilege escalation vulnerability in the Linux kernel's BPF verifier. The exploit leverages an integer overflow to bypass verifier checks and achieve arbitrary read/write in kernel memory, ultimately escalating privileges to root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions before 4.9.75, 4.14.12, and 4.4.110
No auth needed
Prerequisites: Linux kernel with vulnerable BPF verifier · Compilation environment for the exploit code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by littlebin404 · poc
https://github.com/littlebin404/CVE-2017-16995

This is a working local privilege escalation (LPE) exploit for CVE-2017-16995, targeting a vulnerability in the eBPF verifier in the Linux kernel. The exploit manipulates the eBPF verifier to achieve arbitrary memory read/write, ultimately modifying the UID to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (Ubuntu 16.04.1~16.04.4)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel (Ubuntu 16.04.1~16.04.4) · Local user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by vnik5287 · poc
https://github.com/vnik5287/CVE-2017-16995

This is a working privilege escalation exploit for CVE-2017-16995, targeting a vulnerability in the Linux kernel's eBPF verifier. It leverages a stack overflow to overwrite kernel memory and escalate privileges to root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 4.4.0-116-generic (Ubuntu 16.04.4)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version · Ability to compile and execute C code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by senyuuri · poc
https://github.com/senyuuri/cve-2017-16995

This is a functional local privilege escalation exploit for CVE-2017-16995, targeting a vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation. The exploit manipulates kernel memory to escalate privileges to root by overwriting the UID of the current process.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 4.4.0-116-generic
No auth needed
Prerequisites: Access to a vulnerable Linux kernel (4.4.0-116-generic) · Local user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by gugronnier · poc
https://github.com/gugronnier/CVE-2017-16995

This is a functional privilege escalation exploit for CVE-2017-16995, targeting a vulnerability in the Linux kernel's eBPF verifier. It manipulates kernel memory to escalate privileges to root by overwriting the UID of the current process.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 4.4.0-31-generic and 4.4.0-116-generic (Ubuntu 16.04)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version · Ability to compile and execute C code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Andyyyyuan · pythonpoc
https://github.com/Andyyyyuan/CVE-Poc/tree/main/CVE-2017-16995

This repository contains a functional exploit for CVE-2017-16995, a local privilege escalation vulnerability in the Linux kernel's eBPF verifier. The exploit leverages a crafted BPF program to achieve arbitrary memory read/write, ultimately escalating privileges to root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 4.4.0-116-generic (Ubuntu 16.04.4 LTS)
No auth needed
Prerequisites: Linux kernel version 4.4.0-116-generic · eBPF support enabled · unprivileged user access
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by xxxTectationxxx · poc
https://github.com/xxxTectationxxx/CVE-2017-16995

This repository contains two functional privilege escalation exploits for CVE-2017-16995, targeting a vulnerability in the eBPF verifier in Linux kernels. Both exploits leverage eBPF to achieve arbitrary read/write in kernel memory, ultimately modifying the cred structure to gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions 4.4.0-116-generic and others (Ubuntu 16.04, Fedora 27)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel with eBPF support · Ability to compile and execute C code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ZhiQiAnSecFork · poc
https://github.com/ZhiQiAnSecFork/cve-2017-16995

This is a functional exploit for CVE-2017-16995, leveraging eBPF verifier bypass to achieve local privilege escalation on vulnerable Linux kernels. It manipulates kernel memory to escalate privileges to root by patching the cred structure.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (4.4.0-31 to 4.13.0-21, and others)
No auth needed
Prerequisites: Vulnerable Linux kernel version · Local user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by anldori · poc
https://github.com/anldori/CVE-2017-16995

This is a functional exploit for CVE-2017-16995, a Linux kernel vulnerability in the eBPF verifier. It bypasses security checks to achieve local privilege escalation by manipulating kernel memory structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (4.4.0-31 to 4.13.0-21, and others)
No auth needed
Prerequisites: Linux kernel with vulnerable eBPF verifier · Unprivileged user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fei9747 · poc
https://github.com/fei9747/CVE-2017-16995

This is a functional local privilege escalation (LPE) exploit for CVE-2017-16995, targeting a vulnerability in the eBPF verifier in Linux kernels 4.4 to 4.14 on Ubuntu/Debian. The exploit manipulates the eBPF verifier to achieve arbitrary memory read/write, ultimately modifying the UID of the current process to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 4.4-4.14 (Ubuntu/Debian)
No auth needed
Prerequisites: Access to a vulnerable Ubuntu/Debian system with kernel versions 4.4 to 4.14 · Compilation tools (gcc) to build the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ivilpez · poc
https://github.com/ivilpez/cve-2017-16995.c

This repository contains a PoC for CVE-2017-16995, a local privilege escalation vulnerability in the Linux kernel's USB subsystem. The provided compile script builds three binaries likely used to exploit the double-free vulnerability.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel < 4.13.8
Auth required
Prerequisites: Local access to the target system · Compilation environment with gcc and pkg-config
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Lumindu · poc
https://github.com/Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-

This exploit leverages a sign extension vulnerability in the Linux kernel's BPF verifier (CVE-2017-16995) to achieve local privilege escalation. It manipulates BPF maps and socket filters to read/write arbitrary kernel memory, ultimately overwriting the current process's UID to gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (versions 4.4 to 4.14)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · BPF syscall support enabled · Kernel version 4.4 to 4.14
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by C0dak · poc
https://github.com/C0dak/CVE-2017-16995

This is a working privilege escalation exploit for CVE-2017-16995, targeting a vulnerability in the eBPF verifier in Linux kernels 4.4 to 4.14. The exploit manipulates the eBPF verifier to achieve arbitrary memory read/write, ultimately modifying the UID of the current process to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 4.4 to 4.14 (Ubuntu/Debian)
No auth needed
Prerequisites: Linux kernel version 4.4 to 4.14 · eBPF support enabled · Non-privileged user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Jann Horn, bleidl, vnik, rlarabee, h00die, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb

This Metasploit module exploits CVE-2017-16995, a Linux kernel BPF verifier vulnerability allowing local privilege escalation via incorrect sign extension in the `check_alu_op` function. It bypasses the verifier to achieve arbitrary kernel read/write, tested on multiple Linux distributions.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel < 4.14.8 with BPF support
No auth needed
Prerequisites: Unprivileged BPF access enabled · BPF syscall support in kernel · x86_64 architecture
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45058/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3619-2/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3633-1/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102288
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44298/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45010/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-4073
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/usn/usn-3523-2/
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/12/21/2
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3619-1/

Scores

CVSS v3 7.8
EPSS 0.8405
EPSS Percentile 99.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (4)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
debian/debian_linux 9.0
linux/linux_kernel 4.9 - 4.9.72
Published Dec 27, 2017
Tracked Since Feb 18, 2026