CVE-2021-3490

HIGH

Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE

Title source: metasploit

Exploitation Summary

EIP tracks 5 public exploits for CVE-2021-3490. PoCs published by chompie1337, pivik271, prabeershakya, including Metasploit module exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.

AI-analyzed exploit summary This repository contains a functional local privilege escalation (LPE) exploit for CVE-2021-3490, leveraging eBPF map operations to achieve arbitrary kernel memory read/write and ultimately overwrite credentials for root access. The exploit is tested on specific Ubuntu kernel versions and includes detailed technical implementation.

Description

The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).

Exploits (5)

nomisec WORKING POC 312 stars

by chompie1337 · poc

https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2021-3490, leveraging eBPF map operations to achieve arbitrary kernel memory read/write and ultimately overwrite credentials for root access. The exploit is tested on specific Ubuntu kernel versions and includes detailed technical implementation.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (Ubuntu 20.04.02, 20.10, 21.04)

No auth needed

Prerequisites: Linux kernel with vulnerable eBPF implementation (5.8.0-25.26 through 5.8.0-52.58 or 5.11.0-16.17) · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by pivik271 · poc

https://github.com/pivik271/CVE-2021-3490

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-3490, leveraging eBPF ALU32 bounds tracking flaws to achieve arbitrary read/write in the Linux kernel, leading to privilege escalation. The exploit uses crafted BPF instructions to trigger out-of-bounds memory access and manipulate kernel structures.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (specific versions affected by CVE-2021-3490)

No auth needed

Prerequisites: Linux kernel with vulnerable eBPF verifier · Ability to load BPF programs

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by prabeershakya · poc

https://github.com/prabeershakya/CVE-2021-3490-POC

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2021-3490, leveraging eBPF map operations to achieve arbitrary kernel memory read/write. The exploit targets Ubuntu 20.04 with kernel 5.8.0-50-generic and includes detailed setup instructions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (Ubuntu 20.04, kernel 5.8.0-50-generic)

No auth needed

Prerequisites: unprivileged_bpf_disabled=0 · specific kernel version (5.8.0-50-generic) · build-essential and libelf-dev installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 04, 2026 Full analysis →

nomisec WRITEUP

by sandesh9978 · poc

https://github.com/sandesh9978/cve-2021-3490-ebpf-analysis

View Code ZIP pw:eip

This repository provides a technical analysis and educational demonstration of CVE-2021-3490, focusing on eBPF verifier bounds tracking. It includes a C implementation that interacts with the Linux kernel's eBPF subsystem, demonstrating BPF map creation, syscall usage, and namespace setup, but does not include an automated exploit payload.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Linux kernel (eBPF subsystem)

No auth needed

Prerequisites: Linux kernel 5.8.0-48-generic or similar vulnerable version · Ubuntu 20.10 or similar environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 04, 2026 Full analysis →

metasploit WORKING POC GREAT

by Manfred Paul, chompie1337, Grant Willcox · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-3490, a vulnerability in the Linux kernel's eBPF verifier that allows local privilege escalation (LPE) due to improper bounds tracking in ALU32 operations. It achieves arbitrary code execution as root by leveraging out-of-bounds read/write in the kernel.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel versions 5.7-rc1 to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37

No auth needed

Prerequisites: Unprivileged BPF loading enabled (kernel.unprivileged_bpf_disabled not set) · eBPF support in kernel · x86_64 architecture

MITRE ATT&CK