CVE-2017-16997

HIGH

GNU C Library 2.19-2.26 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16997. PoCs published by Xiami2012.

AI-analyzed exploit summary This PoC demonstrates CVE-2017-16997, a vulnerability in glibc's dynamic linker where $ORIGIN in RPATH/RUNPATH can lead to loading libraries from the current working directory, potentially allowing privilege escalation via SUID binaries. The script compiles a test binary, sets SUID permissions, and checks if the system is vulnerable.

Description

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Exploits (1)

nomisec WORKING POC
by Xiami2012 · poc
https://github.com/Xiami2012/CVE-2017-16997-poc

This PoC demonstrates CVE-2017-16997, a vulnerability in glibc's dynamic linker where $ORIGIN in RPATH/RUNPATH can lead to loading libraries from the current working directory, potentially allowing privilege escalation via SUID binaries. The script compiles a test binary, sets SUID permissions, and checks if the system is vulnerable.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: glibc (versions affected by CVE-2017-16997)
No auth needed
Prerequisites: System with vulnerable glibc · SUID binary with $ORIGIN in RPATH/RUNPATH · Write access to a directory in the search path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://sourceware.org/bugzilla/show_bug.cgi?id=22625
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102228
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html
Issue Tracking, Mailing List, Patch, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/884615
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3092
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0327

Scores

CVSS v3 7.8
EPSS 0.0113
EPSS Percentile 78.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-426
Status published
Products (11)
gnu/glibc 2.19
gnu/glibc 2.20
gnu/glibc 2.21
gnu/glibc 2.22
gnu/glibc 2.23
gnu/glibc 2.25
gnu/glibc 2.26
n/a/glibc 2.19 through 2.26 glibc 2.19 through 2.26
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
... and 1 more
Published Dec 18, 2017
Tracked Since Feb 18, 2026