CVE-2022-0995

HIGH

Watch Queue Out of Bounds Write

Title source: metasploit

Exploitation Summary

EIP tracks 5 public exploits for CVE-2022-0995. PoCs published by Bonfee, 1nzag, AndreevSemen, including Metasploit module exploits/linux/local/cve_2022_0995_watch_queue.

AI-analyzed exploit summary This is a working exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component. It targets Ubuntu 21.10 with kernel 5.13.0-37 and achieves local privilege escalation by corrupting msg_msg structures and leveraging a ROP chain.

Description

An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.

Exploits (5)

nomisec WORKING POC 500 stars

by Bonfee · poc

https://github.com/Bonfee/CVE-2022-0995

View Code ZIP pw:eip

This is a working exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component. It targets Ubuntu 21.10 with kernel 5.13.0-37 and achieves local privilege escalation by corrupting msg_msg structures and leveraging a ROP chain.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 5.13.0-37 (Ubuntu 21.10)

No auth needed

Prerequisites: Local access to the target system · Kernel version 5.13.0-37 on Ubuntu 21.10

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 1nzag · poc

https://github.com/1nzag/CVE-2022-0995

View Code ZIP pw:eip

This is a working exploit for CVE-2022-0995, a Linux kernel vulnerability in the watch_queue subsystem. It leverages use-after-free to achieve local privilege escalation by manipulating msg_msg structures and pipe buffers.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.13.18

No auth needed

Prerequisites: Linux kernel 5.13.18 with watch_queue enabled · Unprivileged user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by AndreevSemen · poc

https://github.com/AndreevSemen/CVE-2022-0995

View Code ZIP pw:eip

This is a working privilege escalation exploit for CVE-2022-0995, leveraging a heap out-of-bounds write in the Linux kernel's watch_queue component to achieve arbitrary code execution in the kernel context. The exploit uses msg_msg spraying and ROP chains to bypass KASLR and gain root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 5.13.0-37 (Ubuntu 21.10)

No auth needed

Prerequisites: Linux kernel 5.13.0-37 · CONFIG_WATCH_QUEUE enabled · unprivileged user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by A1b2rt · poc

https://github.com/A1b2rt/cve-2022-0995

View Code ZIP pw:eip

The repository contains only a README.md file with minimal content, providing no functional exploit code or technical details for CVE-2022-0995.

Classification

Stub 10%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by Jann Horn, bonfee, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-0995, a heap out-of-bounds write vulnerability in the Linux Kernel's watch_queue event notification system. It targets Ubuntu Linux 5.13.0-37 and attempts to achieve local privilege escalation by leveraging a heap spray technique.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel < 5.17-rc8 (specifically Ubuntu 5.13.0-37)

Auth required

Prerequisites: Local access to the target system · Kernel version 5.13.0-37 on Ubuntu · Write permissions in a directory (default /tmp)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=2063786

Patch, Vendor Advisory x_refsource_misc

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166815/Watch-Queue-Out-Of-Bounds-Write.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20220429-0001/

Scores

CVSS v3 7.8

EPSS 0.0620

EPSS Percentile 92.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (14)

fedoraproject/fedora 35

linux/linux_kernel 5.17 rc1 (7 CPE variants)

linux/linux_kernel 5.8 - 5.10.106

netapp/h300e_firmware

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

netapp/h500e_firmware

netapp/h500s_firmware

netapp/h610c_firmware

... and 4 more

Published Mar 25, 2022

Tracked Since Feb 18, 2026