CVE-2022-25636

HIGH

Linux Kernel 5.4-5.6.10 - Privilege Escalation via nf_dup_netdev Heap Out-of-Bounds Write

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2022-25636. PoCs published by Bonfee, veritas501, chenaotian.

AI-analyzed exploit summary This is a functional exploit for CVE-2022-25636, targeting a heap-based out-of-bounds write vulnerability in the Linux kernel's nf_tables subsystem. It uses a combination of heap spraying, memory corruption, and ROP to achieve local privilege escalation.

Description

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

Exploits (4)

nomisec WORKING POC 435 stars

by Bonfee · poc

https://github.com/Bonfee/CVE-2022-25636

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-25636, targeting a heap-based out-of-bounds write vulnerability in the Linux kernel's nf_tables subsystem. It uses a combination of heap spraying, memory corruption, and ROP to achieve local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 5.13.0-30 (Ubuntu 21.10)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel version · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 20 stars

by veritas501 · poc

https://github.com/veritas501/CVE-2022-25636-PipeVersion

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-25636, leveraging a pipe-primitive technique to achieve local privilege escalation (LPE) by overwriting /usr/bin/mount with a SUID shell. It bypasses KASLR, SMAP, SMEP, and KPTI without requiring additional leaks or bypasses.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (specific version affected by CVE-2022-25636)

No auth needed

Prerequisites: Local access to the vulnerable system · Compilation environment with required libraries (libnftnl, libmnl)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by chenaotian · poc

https://github.com/chenaotian/CVE-2022-25636

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-25636, a heap out-of-bounds write vulnerability in the Linux kernel's netfilter module. The exploit demonstrates local privilege escalation by leveraging the vulnerability to achieve arbitrary kernel memory writes, with a success rate of less than 50%.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 5.4 and later

Auth required

Prerequisites: SYS_ADMIN capability · Linux kernel 5.4 or later · netfilter modules loaded

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Eduardo2221 · poc

https://github.com/Eduardo2221/CVE-2022-25636_COPY-FAIL_ONE-LINE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-25636, a Netfilter heap overflow vulnerability in Linux kernels 5.4 to 5.16.10. The exploit leverages socket operations and memory manipulation to achieve local privilege escalation (LPE).

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel 5.4 to 5.16.10

No auth needed

Prerequisites: Linux kernel version between 5.4 and 5.16.10 · Local access to the target system

MITRE ATT&CK