CVE-2019-19726

HIGH

OpenBSD Dynamic Loader chpass Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-19726. PoCs published by Metasploit, Qualys Corporation, Qualys, bcoles, including Metasploit module exploits/openbsd/local/dynamic_loader_chpass_privesc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-19726, a vulnerability in OpenBSD's dynamic loader (`ld.so`) where `LD_LIBRARY_PATH` is not properly reset when set with approximately `ARG_MAX` colons. This allows loading `libutil.so` from an untrusted path via the `chpass` set-uid executable, leading to privileged code execution.

Description

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalopenbsd
https://www.exploit-db.com/exploits/47803

This Metasploit module exploits CVE-2019-19726, a vulnerability in OpenBSD's dynamic loader (`ld.so`) where `LD_LIBRARY_PATH` is not properly reset when set with approximately `ARG_MAX` colons. This allows loading `libutil.so` from an untrusted path via the `chpass` set-uid executable, leading to privileged code execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: OpenBSD 6.1, 6.6 (dynamic loader `ld.so`)
No auth needed
Prerequisites: Access to a vulnerable OpenBSD system · Presence of `chpass` set-uid executable · Write permissions in a directory (e.g., `/tmp`) · Compiler (`cc`) available on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Qualys Corporation · textlocalopenbsd
https://www.exploit-db.com/exploits/47780

This exploit leverages a vulnerability in OpenBSD's dynamic loader (ld.so) to escalate privileges via a set-user-ID executable (e.g., chpass or passwd). It manipulates LD_LIBRARY_PATH and RLIMIT_DATA to bypass security checks and load a malicious shared library, resulting in root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: OpenBSD dynamic loader (ld.so) on OpenBSD 6.6, 6.5, 6.2, and 6.1
No auth needed
Prerequisites: Access to a system with vulnerable OpenBSD version · Ability to execute set-user-ID binaries like chpass or passwd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Qualys, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb

This Metasploit module exploits CVE-2019-19726, a vulnerability in OpenBSD's dynamic loader (`ld.so`) where `LD_LIBRARY_PATH` is not properly reset when set with approximately `ARG_MAX` colons. It abuses the `chpass` set-uid executable to load a malicious `libutil.so` from an untrusted path, achieving local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: OpenBSD 6.1, 6.6 (dynamic loader `ld.so`)
No auth needed
Prerequisites: Local shell access · Presence of `chpass` executable · Unpatched OpenBSD system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Mailing List, Third Party Advisory mailing-list
https://seclists.org/bugtraq/2019/Dec/25
Exploit, Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2019/Dec/31
Patch, Vendor Advisory
https://www.openbsd.org/errata66.html

Scores

CVSS v3 7.8
EPSS 0.0938
EPSS Percentile 93.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (1)
openbsd/openbsd < 6.6
Published Dec 12, 2019
Tracked Since Feb 18, 2026