CVE-2019-3010

HIGH KEV

Oracle Solaris 11 - Privilege Escalation in XScreenSaver

Title source: llm

Exploitation Summary

CVE-2019-3010 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 25, 2022. EIP tracks 4 public exploits from researchers including Marco Ivaldi, chaizeg, Marco Ivaldi, bcoles, including a Metasploit module exploits/solaris/local/xscreensaver_log_priv_esc.

AI-analyzed exploit summary This exploit leverages a design error in xscreensaver on Solaris 11.x, allowing local privilege escalation by abusing the -log command line switch to write arbitrary files. It compiles a shared library to override getuid() and uses LD_PRELOAD to escalate privileges to root.

Description

Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Exploits (4)

exploitdb WORKING POC

by Marco Ivaldi · textlocalsolaris

https://www.exploit-db.com/exploits/47529

View Code ZIP pw:eip

This exploit leverages a design error in xscreensaver on Solaris 11.x, allowing local privilege escalation by abusing the -log command line switch to write arbitrary files. It compiles a shared library to override getuid() and uses LD_PRELOAD to escalate privileges to root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: xscreensaver 5.39 (Solaris 11.4), xscreensaver 5.15 (Solaris 11.3)

No auth needed

Prerequisites: gcc · access to a local user account · xscreensaver with setuid bit set

MITRE ATT&CK

T1548.001 - Setuid and Setgid T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by chaizeg · remote

https://github.com/chaizeg/privilege-escalation-breach

View Code ZIP pw:eip

This exploit leverages a vulnerability in Oracle Solaris 11's XScreenSaver component to achieve local privilege escalation by manipulating the `getuid` function via `LD_PRELOAD`. The exploit compiles a shared library to override `getuid`, starts an X server, and triggers the vulnerability to gain root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Oracle Solaris 11 (XScreenSaver component)

Auth required

Prerequisites: Local access to Oracle Solaris 11 · Ability to compile C code · Access to X server

MITRE ATT&CK

T1548.001 - Setuid and Setgid T1574.006 - Dynamic Linker Hijacking

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

local

https://github.com/0xdea/exploits

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2019-3010, specifically targeting Solaris 11.x via xscreensaver for local privilege escalation. The exploits are well-documented and include multiple variants for different architectures and vulnerabilities.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 11.x xscreensaver

No auth needed

Prerequisites: Local access to a vulnerable Solaris 11.x system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Marco Ivaldi, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/local/xscreensaver_log_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in `xscreensaver` (CVE-2019-3010) on Solaris 11 by creating a user-owned log file in a secure directory, overwriting it with a malicious shared object, and executing it via `LD_PRELOAD`.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: xscreensaver versions 5.06 to 5.41 on Solaris 11

No auth needed

Prerequisites: gcc installed · xscreensaver setuid binary · writable /tmp directory

MITRE ATT&CK

T1548.001 - Setuid and Setgid T1574.006 - Dynamic Linker Hijacking

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/Oct/39

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154960/Solaris-xscreensaver-Privilege-Escalation.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3010

Scores

CVSS v3 8.8

EPSS 0.1351

EPSS Percentile 96.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-05-25

VulnCheck KEV 2022-05-25

InTheWild.io 2022-05-25

ENISA EUVD EUVD-2019-12649

Status published

Products (1)

oracle/solaris 11

Published Oct 16, 2019

KEV Added May 25, 2022

Tracked Since Feb 18, 2026