CVE-2022-1015

MEDIUM

Linux Kernel < 5.16.18 - Out-of-bounds Write in netfilter nf_tables_api

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2022-1015. PoCs published by pqlx, ysanatomic, more-kohii.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-1015, a local privilege escalation vulnerability in the `nf_tables` component of the Linux kernel. The exploit targets kernels between versions 5.12 and 5.17, leveraging a bug in the netfilter subsystem to achieve privilege escalation.

Description

A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.

Exploits (10)

nomisec WORKING POC 205 stars
by pqlx · poc
https://github.com/pqlx/CVE-2022-1015

This repository contains a proof-of-concept exploit for CVE-2022-1015, a local privilege escalation vulnerability in the `nf_tables` component of the Linux kernel. The exploit targets kernels between versions 5.12 and 5.17, leveraging a bug in the netfilter subsystem to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (nf_tables component), versions after 5.12 and before 5.17
Auth required
Prerequisites: Local access to a vulnerable system · Kernel version between 5.12 and 5.17 · Appropriate kernel headers and libraries (libmnl, libnftnl)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by ysanatomic · poc
https://github.com/ysanatomic/CVE-2022-1015

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-1015, targeting an out-of-bounds (OOB) read/write vulnerability in the Linux Kernel's nf_tables. The exploit bypasses KASLR and escalates privileges to root by manipulating netfilter rules and triggering a stack-based ROP chain.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel versions 5.12 to 5.17 (pre-patch)
No auth needed
Prerequisites: Vulnerable kernel version (5.12 to 5.17) · libmnl and libnftnl libraries · User namespace access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by more-kohii · poc
https://github.com/more-kohii/CVE-2022-1015

This PoC exploits CVE-2022-1015, a stack-based out-of-bounds read/write vulnerability in the Linux kernel's nftables subsystem. It demonstrates privilege escalation via a crafted ROP chain to bypass kernel security mechanisms.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (nftables subsystem)
No auth needed
Prerequisites: Linux kernel with vulnerable nftables implementation · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by pivik271 · poc
https://github.com/pivik271/CVE-2022-1015

This is a functional privilege escalation exploit for CVE-2022-1015, leveraging a netfilter heap out-of-bounds write to achieve arbitrary kernel memory manipulation. It uses a two-stage approach: first leaking the kernel base address via UDP packet manipulation, then executing a ROP chain to escalate privileges and spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2022-1015)
No auth needed
Prerequisites: Linux system with vulnerable kernel · Ability to execute unprivileged code · Netfilter/nftables support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by seadragnol · poc
https://github.com/seadragnol/CVE-2022-1015

This is a functional exploit for CVE-2022-1015, targeting a Linux kernel nftables out-of-bounds access vulnerability. It achieves local privilege escalation by manipulating nftables rules and leveraging kernel memory corruption.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 5.17.0 with nftables
No auth needed
Prerequisites: Linux kernel 5.17.0 · nftables support · libmnl and libnftnl libraries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 0range1337 · poc
https://github.com/0range1337/CVE-2022-1015

This PoC demonstrates CVE-2022-1015, a Linux kernel vulnerability in the nftables subsystem, by creating a custom rootfs environment and executing a test binary within a QEMU VM. The test.c file sets up CPU affinity and user/network namespaces before spawning a shell.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (nftables subsystem)
No auth needed
Prerequisites: QEMU · Linux kernel with nftables support · Compiled test binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by wlswotmd · poc
https://github.com/wlswotmd/CVE-2022-1015

This is a local privilege escalation (LPE) PoC for CVE-2022-1015, exploiting a vulnerability in the Linux kernel's netfilter subsystem. The code demonstrates the creation of malicious nftables rules to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2022-1015)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Ability to execute code with sufficient permissions to interact with netfilter
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by delsploit · poc
https://github.com/delsploit/CVE-2022-1015

This repository contains a functional proof-of-concept exploit for CVE-2022-1015, a Linux kernel vulnerability in the nf_tables subsystem. The exploit achieves local privilege escalation by manipulating netfilter rules to leak kernel addresses and overwrite kernel memory, ultimately spawning a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions affected by CVE-2022-1015)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Compilation tools (gcc, make) · libmnl and libnftnl libraries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by shuttterman · poc
https://github.com/shuttterman/bob_kern_exp1

This PoC exploits CVE-2022-1015, a vulnerability in the Linux kernel's nf_tables subsystem, to leak kernel memory. The code uses libmnl and libnftnl to manipulate netfilter tables and chains, demonstrating the vulnerability through crafted nf_tables rules.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (nf_tables subsystem)
No auth needed
Prerequisites: libmnl-dev · libnftnl-dev
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by zanezhub · poc
https://github.com/zanezhub/CVE-2022-1015-1016

This is a Spanish translation of a blog post discussing CVE-2022-1015 and CVE-2022-1016, two Linux kernel vulnerabilities in the nf_tables module. It provides background, analysis, and context but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Linux kernel (nf_tables module)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 6.6
EPSS 0.0147
EPSS Percentile 70.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Details

CWE
CWE-787
Status published
Products (2)
fedoraproject/fedora 35
linux/linux_kernel < 5.16.18
Published Apr 29, 2022
Tracked Since Feb 18, 2026