CVE-2022-0185

HIGH KEV

Linux kernel - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-0185 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 21, 2024. EIP tracks 11 public exploits from researchers including Crusaders-of-Rust, chenaotian, veritas501.

AI-analyzed exploit summary This repository contains two exploit variants for CVE-2022-0185, a Linux kernel vulnerability. The FUSE-based exploit targets Ubuntu (5.11.0-44) to achieve privilege escalation by making /bin/bash SUID, while the kCTF variant targets Kubernetes 1.22 for root RCE via a stack pivot and ROP chain.

Description

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

Exploits (11)

nomisec WORKING POC 378 stars
by Crusaders-of-Rust · local
https://github.com/Crusaders-of-Rust/CVE-2022-0185

This repository contains two exploit variants for CVE-2022-0185, a Linux kernel vulnerability. The FUSE-based exploit targets Ubuntu (5.11.0-44) to achieve privilege escalation by making /bin/bash SUID, while the kCTF variant targets Kubernetes 1.22 for root RCE via a stack pivot and ROP chain.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel (5.1+), specifically Ubuntu 5.11.0-44 and Kubernetes 1.22.3-gke.700
No auth needed
Prerequisites: Linux kernel version 5.1 or higher · FUSE or pipe-based heap manipulation primitives · SYSVIPC elastic objects for arbitrary write
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 38 stars
by chenaotian · local
https://github.com/chenaotian/CVE-2022-0185

This repository contains a working proof-of-concept exploit for CVE-2022-0185, a Linux kernel vulnerability in the fsconfig syscall that allows local privilege escalation and container escape. The exploit leverages an integer overflow in the legacy_parse_param function to achieve arbitrary memory write.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 5.1-rc1 to 5.16.2
Auth required
Prerequisites: Local access · CAP_SYS_ADMIN capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by veritas501 · local
https://github.com/veritas501/CVE-2022-0185-PipeVersion

This is a functional exploit for CVE-2022-0185, leveraging a pipe-primitive technique to bypass KASLR, SMAP, SMEP, and KPTI. It achieves local privilege escalation by overwriting /usr/bin/mount with a SUID shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2022-0185)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Compilation environment with static linking support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by discordianfish · poc
https://github.com/discordianfish/cve-2022-0185-crash-poc

This repository contains a Dockerized proof-of-concept for CVE-2022-0185, a Linux kernel vulnerability in the filesystem context handling. The crash.c file exploits a heap-based buffer overflow in the fsconfig syscall, leading to a denial-of-service (kernel crash).

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Linux kernel versions 5.1-5.16.2
No auth needed
Prerequisites: Unpatched Linux kernel (5.1-5.16.2) · Ability to execute syscalls (unprivileged user)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by featherL · local
https://github.com/featherL/CVE-2022-0185-exploit

This is a working exploit for CVE-2022-0185, a heap overflow vulnerability in the Linux kernel's fsconfig syscall. The exploit leverages use-after-free (UAF) and heap spraying techniques to achieve local privilege escalation (LPE) by corrupting kernel structures and executing arbitrary code.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2022-0185)
No auth needed
Prerequisites: Linux kernel vulnerable to CVE-2022-0185 · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by dcheng69 · poc
https://github.com/dcheng69/CVE-2022-0185-Case-Study

This repository contains a proof-of-concept exploit for CVE-2022-0185, a heap-based buffer overflow in the Linux kernel's Filesystem Context functionality. The exploit leverages an unsigned integer underflow to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 5.1 to 5.4.0-96.109
No auth needed
Prerequisites: Unprivileged user access · Kernel version 5.1 to 5.4.0-96.109 · Filesystem that does not support the Filesystem Context API
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by shakyanayann · local
https://github.com/shakyanayann/CVE-2022-0185

This is a functional exploit for CVE-2022-0185, a heap-based buffer overflow in the Linux kernel's filesystem context. The exploit leverages message queue manipulation and memory corruption to achieve local privilege escalation (LPE) by executing shellcode as root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2022-0185)
No auth needed
Prerequisites: Linux system with vulnerable kernel · unprivileged user access
devstral-2 · analyzed Mar 06, 2026 Full analysis →
nomisec WORKING POC
by prabeershakya · poc
https://github.com/prabeershakya/CVE-2022-0185-POC

This repository contains a functional proof-of-concept exploit for CVE-2022-0185, a heap-based buffer overflow in the Linux kernel's `legacy_parse_param` function. The exploit includes two variants: one for local privilege escalation (LPE) on Ubuntu using FUSE and SYSVIPC, and another for kCTF container escape using pipes and ROP chains.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel 5.1 – 5.15
No auth needed
Prerequisites: Linux kernel 5.1 – 5.15 · unshare -Urm for CAP_SYS_ADMIN · FUSE filesystem setup
devstral-2 · analyzed Mar 04, 2026 Full analysis →
nomisec WORKING POC
by sandesh9978 · poc
https://github.com/sandesh9978/CVE-2022-0185-Analysis-and-Exploit

This repository contains a functional proof-of-concept exploit for CVE-2022-0185, a heap-based buffer overflow in the Linux kernel's filesystem context implementation. The exploit demonstrates privilege escalation via heap memory corruption and includes detailed technical analysis.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions prior to 5.11.0, 5.16.2, 5.15.16, 5.10.93)
No auth needed
Prerequisites: Vulnerable Linux kernel · Local access · Isolated test environment
devstral-2 · analyzed Feb 25, 2026 Full analysis →
gitlab WORKING POC
by Skwgasnaw · local
https://gitlab.com/Skwgasnaw/CVE-2022-0185

This repository contains a functional exploit for CVE-2022-0185, a Linux kernel vulnerability in the fsconfig syscall. The exploit demonstrates local privilege escalation and container escape by leveraging an integer overflow in the legacy_parse_param function.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 5.1-rc1 to 5.16.2
Auth required
Prerequisites: CAP_SYS_ADMIN capability · Linux kernel version 5.1-rc1 to 5.16.2
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by khaclep007 · poc
https://github.com/khaclep007/CVE-2022-0185

This repository contains two exploit implementations for CVE-2022-0185, a Linux kernel vulnerability. The FUSE-based exploit targets Ubuntu (kernel 5.11.0-44) to achieve privilege escalation by making /bin/bash SUID, while the kCTF version targets Kubernetes 1.22 for root RCE via a stack pivot and ROP chain.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel (5.1+), specifically Ubuntu 5.11.0-44 and Kubernetes 1.22.3-gke.700
No auth needed
Prerequisites: Linux kernel 5.1+ with vulnerable fsconfig syscall · FUSE or pipe-based heap manipulation primitives · SYSVIPC message queue access
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Crusaders-of-Rust/CVE-2022-0185
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2022/01/18/7
Exploit, Third Party Advisory x_refsource_misc
https://www.willsroot.io/2022/01/cve-2022-0185.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220225-0003/

Scores

CVSS v3 8.4
EPSS 0.2515
EPSS Percentile 97.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-08-21
VulnCheck KEV 2024-03-21
InTheWild.io 2024-08-21
ENISA EUVD EUVD-2022-15389
CWE
CWE-190 CWE-191
Status published
Products (9)
linux/linux_kernel 5.1 - 5.4.173
netapp/h300e_firmware
netapp/h300s_firmware
netapp/h410c_firmware
netapp/h410s_firmware
netapp/h500e_firmware
netapp/h500s_firmware
netapp/h700e_firmware
netapp/h700s_firmware
Published Feb 11, 2022
KEV Added Aug 21, 2024
Tracked Since Feb 18, 2026