CVE-2021-22600

MEDIUM KEV

Linux Kernel - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2021-22600 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 11, 2022. EIP tracks 2 public exploits from researchers including Chinmay1743, sendINUX.

AI-analyzed exploit summary This repository provides a technical analysis and privilege probe for CVE-2021-22600, demonstrating how AF_PACKET socket creation and PACKET_RX_RING configuration behave under different privilege levels (user vs. root). It includes a detailed explanation of kernel checks for CAP_NET_RAW and the implications of exploitation.

Description

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

Exploits (2)

nomisec WRITEUP

by Chinmay1743 · local

https://github.com/Chinmay1743/af_packet.c

View Code ZIP pw:eip

This repository provides a technical analysis and privilege probe for CVE-2021-22600, demonstrating how AF_PACKET socket creation and PACKET_RX_RING configuration behave under different privilege levels (user vs. root). It includes a detailed explanation of kernel checks for CAP_NET_RAW and the implications of exploitation.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (af_packet.c)

No auth needed

Prerequisites: Access to a Linux system with AF_PACKET sockets · Basic understanding of Linux capabilities

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by sendINUX · local

https://github.com/sendINUX/CVE-2021-22600__DirtyPagetable

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2021-22600, leveraging the DirtyPagetable technique to achieve local privilege escalation (LPE) in the Linux kernel. The exploit involves manipulating kernel memory structures through socket operations and signalfd spraying.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2021-22600)

No auth needed

Prerequisites: Local access to the vulnerable system · Kernel version vulnerable to CVE-2021-22600

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html

Third Party Advisory vendor-advisory

https://www.debian.org/security/2022/dsa-5096

Mailing List, Patch

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230110-0002/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22600

Scores

CVSS v3 6.6

EPSS 0.0592

EPSS Percentile 92.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2022-04-11

VulnCheck KEV 2022-03-07

InTheWild.io 2022-03-07

ENISA EUVD EUVD-2021-9736

CWE

CWE-415

Status published

Products (12)

debian/debian_linux 9.0

debian/debian_linux 10.0

linux/linux_kernel 4.14.175 - 4.14.259

netapp/8300_firmware

netapp/8700_firmware

netapp/a400_firmware

netapp/c400_firmware

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

... and 2 more

Published Jan 26, 2022

KEV Added Apr 11, 2022

Tracked Since Feb 18, 2026