CVE-2020-27786

HIGH

Linux Kernel < 4.4.224 - Use-After-Free in MIDI ioctl Handler

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2020-27786. PoCs published by kiks7, ii4gsp, Trinadh465.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2020-27786, a race condition vulnerability in the Linux kernel leading to a write Use-After-Free. The exploit uses userfaultfd to extend the race window and leverages msg_msg to leak kernel addresses and obtain a write primitive, ultimately overwriting modprobe_path to achieve privilege escalation.

Description

A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Exploits (4)

nomisec WORKING POC 10 stars

by kiks7 · poc

https://github.com/kiks7/CVE-2020-27786-Kernel-Exploit

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2020-27786, a race condition vulnerability in the Linux kernel leading to a write Use-After-Free. The exploit uses userfaultfd to extend the race window and leverages msg_msg to leak kernel addresses and obtain a write primitive, ultimately overwriting modprobe_path to achieve privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (specific versions affected by CVE-2020-27786)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel · Ability to compile and run C code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by ii4gsp · poc

https://github.com/ii4gsp/CVE-2020-27786

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in the Linux kernel's ALSA rawmidi subsystem (CVE-2020-27786) to achieve local privilege escalation. It employs userfaultfd for memory manipulation and ROP to bypass KASLR and SMAP, ultimately executing a root shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2020-27786)

No auth needed

Prerequisites: Local access to the target system · ALSA rawmidi device accessible · Kernel version vulnerable to CVE-2020-27786

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by Trinadh465 · poc

https://github.com/Trinadh465/linux-4.19.72_CVE-2020-27786

View Code ZIP pw:eip

The repository contains documentation files from a Linux kernel version 4.19.72, specifically focusing on ABI stability, admin guides, and hardware-specific documentation. No exploit code or proof-of-concept is present in the provided files.

Classification

Writeup 90%

Attack Type

N/a

Complexity

N/a

Reliability

N/a

Target: Linux Kernel 4.19.72

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by elbiazo · poc

https://github.com/elbiazo/CVE-2020-27786

View Code ZIP pw:eip

The repository only contains a README.md with basic compilation instructions for a CMake project, lacking any actual exploit code or technical details about CVE-2020-27786.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_misc

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2020/12/03/1

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1900933

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20210122-0002/

Scores

CVSS v3 7.8

EPSS 0.0166

EPSS Percentile 73.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (9)

linux/linux_kernel < 4.4.224

netapp/cloud_backup

netapp/solidfire_baseboard_management_controller

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/enterprise_mrg 2.0

redhat/openshift_container_platform 4.4

redhat/openshift_container_platform 4.5

redhat/openshift_container_platform 4.6

Published Dec 11, 2020

Tracked Since Feb 18, 2026