CVE-2021-4154

HIGH

Linux Kernel >=5.1 <5.4.134 - Use-After-Free in cgroup v1 Parser

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-4154. PoCs published by Markakd, veritas501.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2021-4154, a use-after-free vulnerability in the Linux kernel's filesystem layer. The exploit leverages race conditions and memory manipulation to achieve local privilege escalation (LPE) on vulnerable kernels.

Description

A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.

Exploits (2)

nomisec WORKING POC 67 stars

by Markakd · poc

https://github.com/Markakd/CVE-2021-4154

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2021-4154, a use-after-free vulnerability in the Linux kernel's filesystem layer. The exploit leverages race conditions and memory manipulation to achieve local privilege escalation (LPE) on vulnerable kernels.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (various distributions and versions as listed in README)

No auth needed

Prerequisites: Vulnerable Linux kernel version · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by veritas501 · poc

https://github.com/veritas501/CVE-2021-4154

View Code ZIP pw:eip

This is a working exploit for CVE-2021-4154, a use-after-free vulnerability in the Linux kernel's fsconfig syscall. The PoC leverages race conditions and namespace isolation to achieve local privilege escalation by corrupting file descriptors.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific version not specified)

No auth needed

Prerequisites: Linux kernel with vulnerable fsconfig implementation · Ability to execute unprivileged code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=2034514

Mailing List, Patch, Vendor Advisory x_refsource_misc

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b0462726e7ef281c35a7a4ae33e93ee2bc9975b

Third Party Advisory x_refsource_misc

https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-002

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20220225-0004/

Scores

CVSS v3 8.8

EPSS 0.0121

EPSS Percentile 64.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (11)

linux/linux_kernel 5.14 rc1

linux/linux_kernel 5.1 - 5.4.134

netapp/hci_baseboard_management_controller h300e

netapp/hci_baseboard_management_controller h300s

netapp/hci_baseboard_management_controller h410s

netapp/hci_baseboard_management_controller h500e

netapp/hci_baseboard_management_controller h500s

netapp/hci_baseboard_management_controller h700e

netapp/hci_baseboard_management_controller h700s

redhat/enterprise_linux 8.0

... and 1 more

Published Feb 04, 2022

Tracked Since Feb 18, 2026