CVE-2019-9213: Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-9213. PoCs published by Metasploit, Google Security Research, Mohamed Ghannam, Jann Horn, wbowling, bcoles, nstarke, including Metasploit module exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits a NULL pointer dereference in the `rds_atomic_free_op` function in the Linux kernel's RDS module (CVE-2018-5333) combined with a MAP_GROWSDOWN mmap_min_addr bypass (CVE-2019-9213) to achieve local privilege escalation on vulnerable Ubuntu 16.04 systems.

Description

In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/47957

View Code ZIP pw:eip

This Metasploit module exploits a NULL pointer dereference in the `rds_atomic_free_op` function in the Linux kernel's RDS module (CVE-2018-5333) combined with a MAP_GROWSDOWN mmap_min_addr bypass (CVE-2019-9213) to achieve local privilege escalation on vulnerable Ubuntu 16.04 systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 4.4.0-116-generic and 4.8.0-54-generic on Ubuntu 16.04

Auth required

Prerequisites: Local access to a vulnerable Ubuntu 16.04 system · RDS kernel module loaded or not blacklisted · SMAP disabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Google Security Research · textdoslinux

https://www.exploit-db.com/exploits/46502

View Code ZIP pw:eip

This exploit demonstrates a kernel NULL pointer dereference vulnerability (CVE-2019-9213) by mapping virtual address 0 on x86 systems without SMAP. It abuses a capability check flaw in `expand_downwards()` to bypass `dac_mmap_min_addr` restrictions, enabling exploitation of NULL pointer dereferences.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel (versions affected by CVE-2019-9213)

No auth needed

Prerequisites: x86 system without SMAP · ability to execute unprivileged code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by Mohamed Ghannam, Jann Horn, wbowling, bcoles, nstarke · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a NULL pointer dereference in the `rds_atomic_free_op` function in the Linux kernel's RDS module (CVE-2018-5333) combined with a MAP_GROWSDOWN mmap_min_addr bypass (CVE-2019-9213) to achieve local privilege escalation on vulnerable Ubuntu 16.04 systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 4.4.0-116-generic and 4.8.0-54-generic (Ubuntu 16.04)

No auth needed

Prerequisites: RDS kernel module loaded or not blacklisted · 64-bit Ubuntu 16.04 system · SMAP disabled

MITRE ATT&CK