CVE-2017-6074

HIGH

Linux Kernel < 3.2.86 - Double Free in DCCP Packet Processing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2017-6074. PoCs published by Andrey Konovalov, codecat007, BimsaraMalinda.

AI-analyzed exploit summary This is a local privilege escalation exploit for CVE-2017-6074, targeting a use-after-free vulnerability in the Linux kernel's DCCP implementation. It includes a bypass for SMEP/SMAP protections and achieves root by manipulating kernel structures.

Description

The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.

Exploits (6)

exploitdb WORKING POC
by Andrey Konovalov · clocallinux
https://www.exploit-db.com/exploits/41458

This is a local privilege escalation exploit for CVE-2017-6074, targeting a use-after-free vulnerability in the Linux kernel's DCCP implementation. It includes a bypass for SMEP/SMAP protections and achieves root by manipulating kernel structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 4.4.0-62-generic (Ubuntu)
No auth needed
Prerequisites: Local access to the target system · Kernel version 4.4.0-62-generic or vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Andrey Konovalov · cdoslinux
https://www.exploit-db.com/exploits/41457

This exploit triggers a use-after-free vulnerability in the Linux kernel's DCCP implementation (CVE-2017-6074), leading to a kernel crash. It creates two DCCP sockets, binds one, and manipulates socket options to exploit the flaw.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Linux kernel 4.4.0-62-generic and other vulnerable versions
No auth needed
Prerequisites: Linux system with vulnerable kernel · Ability to create DCCP sockets
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/kernel/EXP-CVE-2017-6074

This repository contains a functional local root exploit for CVE-2017-6074, a vulnerability in the DCCP protocol implementation in the Linux kernel. The exploit includes a semi-reliable SMEP/SMAP bypass and demonstrates privilege escalation by executing arbitrary code in kernel context.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (tested on 4.4.0-62-generic)
No auth needed
Prerequisites: Local access to the target system · DCCP protocol support in the kernel
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP 1 stars
by BimsaraMalinda · poc
https://github.com/BimsaraMalinda/Linux-Kernel-4.4.0-Ubuntu---DCCP-Double-Free-Privilege-Escalation-CVE-2017-6074

This repository contains a README for CVE-2017-6074, a DCCP double-free vulnerability in Linux Kernel 4.4.0 (Ubuntu), leading to local privilege escalation. No exploit code is present, only a title/description.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux Kernel 4.4.0 (Ubuntu)
No auth needed
Prerequisites: Local access to a vulnerable Linux Kernel 4.4.0 (Ubuntu) system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 34zY · poc
https://github.com/34zY/CVE-2017-6074-DOS

This is a functional DoS exploit for CVE-2017-6074, targeting a use-after-free vulnerability in the Linux kernel DCCP subsystem. It triggers a kernel panic by manipulating socket operations and memory allocation.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (DCCP subsystem)
Auth required
Prerequisites: Local user access · DCCP socket support in kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by toanthang1842002 · poc
https://github.com/toanthang1842002/CVE-2017-6074

This repository contains a proof-of-concept exploit for CVE-2017-6074, a DCCP double-free vulnerability in the Linux kernel. The exploit leverages heap spraying and timer manipulation to achieve local privilege escalation (LPE) by overwriting kernel structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2017-6074)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · DCCP kernel module loaded · Kernel version susceptible to CVE-2017-6074
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0323.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0324.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0365.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0347.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1209
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/02/22/3
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0501.html
Third Party Advisory x_refsource_confirm
https://source.android.com/security/bulletin/2017-07-01
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0932
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037876
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0316.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0294.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0295.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0366.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0346.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0403.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3791
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0293.html
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2017-07
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96310
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41457/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41458/
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0345.html

Scores

CVSS v3 7.8
EPSS 0.2004
EPSS Percentile 95.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-415
Status published
Products (2)
debian/debian_linux 8.0
linux/linux_kernel < 3.2.86
Published Feb 18, 2017
Tracked Since Feb 18, 2026