CVE-2020-8835

HIGH

Linux kernel <5.6.1, <5.5.14, <5.4.29 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2020-8835. PoCs published by snappyJack, digamma-ai, zilong3033.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-8835, leveraging BPF map operations to achieve local privilege escalation (LPE) by overwriting kernel memory structures. The exploit uses BPF socket filters to leak kernel addresses, bypass KASLR, and manipulate the modprobe_path to execute arbitrary commands with root privileges.

Description

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Exploits (6)

nomisec WORKING POC 4 stars
by snappyJack · poc
https://github.com/snappyJack/Rick_write_exp_CVE-2020-8835

This repository contains a functional exploit for CVE-2020-8835, leveraging BPF map operations to achieve local privilege escalation (LPE) by overwriting kernel memory structures. The exploit uses BPF socket filters to leak kernel addresses, bypass KASLR, and manipulate the modprobe_path to execute arbitrary commands with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2020-8835)
No auth needed
Prerequisites: BPF support enabled in the kernel · Local access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 2 stars
by digamma-ai · poc
https://github.com/digamma-ai/CVE-2020-8835-verification

This repository provides a formal verification of CVE-2021-31440 (incorrectly referenced as CVE-2020-8835) using Coq, demonstrating the bug in the Linux kernel eBPF verifier's bounds calculation. It includes both buggy and corrected implementations of the vulnerable function for comparative analysis.

Classification
Writeup 95%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Linux kernel eBPF verifier
No auth needed
Prerequisites: Linux headers · Coq · OPAM
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by zilong3033 · poc
https://github.com/zilong3033/CVE-2020-8835

This repository contains a functional exploit for CVE-2020-8835, a Linux kernel vulnerability in the BPF verifier that allows out-of-bounds memory access. The exploit leverages BPF instructions to trigger the vulnerability and includes detailed mitigation steps.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 5.5.0 and newer, Linux 5.4 stable series starting with v5.4.7
No auth needed
Prerequisites: Unprivileged access to the bpf() syscall · Kernel without the fix (5.6.1, 5.5.14, or 5.4.29)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by johnatag · poc
https://github.com/johnatag/INF8602-CVE-2020-8835

This repository contains a functional exploit PoC for CVE-2020-8835, which involves a Linux kernel vulnerability related to unprivileged BPF (Berkeley Packet Filter) operations. The PoC includes a Node.js server and Docker configurations to test the exploit, as well as instructions for mitigating the vulnerability by disabling unprivileged BPF.

Classification
Working Poc 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2020-8835)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Unprivileged user access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by SplendidSky · poc
https://github.com/SplendidSky/CVE-2020-8835

This repository contains a functional exploit PoC for CVE-2020-8835, which involves a vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. The provided code includes BPF-related operations and a PoC to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2020-8835)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel · Ability to execute BPF-related system calls
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4313-1/
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/03/30/3
Third Party Advisory x_refsource_misc
https://usn.ubuntu.com/usn/usn-4313-1
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200430-0004/
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/20/1

Scores

CVSS v3 7.8
EPSS 0.0606
EPSS Percentile 92.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-125 CWE-787
Status published
Products (30)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.10
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
linux/linux_kernel 5.4.7 - 5.4.29
netapp/8300_firmware
netapp/8700_firmware
netapp/a220_firmware
netapp/a320_firmware
... and 20 more
Published Apr 02, 2020
Tracked Since Feb 18, 2026