CVE-2022-2588

MEDIUM

Linux Kernel < 4.9.326 - Use-After-Free in cls_route Filter Implementation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 11 public exploits for CVE-2022-2588. PoCs published by Markakd, BassamGraini, veritas501.

AI-analyzed exploit summary This repository contains a working exploit PoC for CVE-2022-2588, a Linux kernel vulnerability in the route4_filter linked list handling, leading to a double-free and privilege escalation via credential manipulation. The exploit leverages DirtyCred techniques to modify file credentials, allowing arbitrary file writes.

Description

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

Exploits (11)

nomisec WORKING POC 485 stars
by Markakd · poc
https://github.com/Markakd/CVE-2022-2588

This repository contains a working exploit PoC for CVE-2022-2588, a Linux kernel vulnerability in the route4_filter linked list handling, leading to a double-free and privilege escalation via credential manipulation. The exploit leverages DirtyCred techniques to modify file credentials, allowing arbitrary file writes.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions 3.17 to 5.18
No auth needed
Prerequisites: User Namespaces enabled · CONFIG_NET_CLS_ACT enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by BassamGraini · poc
https://github.com/BassamGraini/CVE-2022-2588

This is a working proof-of-concept exploit for CVE-2022-2588, a use-after-free vulnerability in the Linux kernel's netfilter subsystem. The exploit leverages a race condition to achieve local privilege escalation by manipulating file descriptors and netlink messages.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific versions affected by CVE-2022-2588)
No auth needed
Prerequisites: Local access to the vulnerable system · Kernel version affected by CVE-2022-2588
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by veritas501 · poc
https://github.com/veritas501/CVE-2022-2588

This repository contains a working exploit for CVE-2022-2588, a Linux kernel vulnerability involving a double-free in the traffic control (tc) subsystem. The exploit leverages heap manipulation and file descriptor overlap to achieve privilege escalation by overwriting /etc/passwd.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux Kernel (specific version not specified in provided code)
No auth needed
Prerequisites: Linux kernel with vulnerable tc subsystem · Ability to execute code on the target system · QEMU environment for testing (as indicated by boot.sh)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 10 stars
by nopgadget · poc
https://github.com/nopgadget/CVE-2022-2588

This repository contains a writeup for CVE-2022-2588, a Linux kernel cls_route UAF vulnerability that can lead to local privilege escalation. The bug exists due to improper handling of filters with a handle value of 0, requiring CAP_NET_ADMIN for exploitation.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (since v2.6.12-rc2)
Auth required
Prerequisites: CAP_NET_ADMIN capability in any user or network namespace
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by pirenga · poc
https://github.com/pirenga/2022-LPE-UAF

This repository contains proof-of-concept exploit code for CVE-2022-2585, CVE-2022-2586, and CVE-2022-2588, targeting Linux kernel vulnerabilities related to POSIX CPU timer UAF, nf_tables cross-table reference UAF, and cls_route UAF, respectively. The PoCs demonstrate local privilege escalation (LPE) techniques.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel (specific versions affected by CVE-2022-2585, CVE-2022-2586, CVE-2022-2588)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to the specified CVEs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by konoha279 · poc
https://github.com/konoha279/2022-LPE-UAF

This repository contains proof-of-concept exploits for CVE-2022-2585, CVE-2022-2586, and CVE-2022-2588, targeting use-after-free (UAF) vulnerabilities in the Linux kernel. The exploits demonstrate local privilege escalation (LPE) by manipulating kernel objects and timers.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific versions affected by CVE-2022-2585, CVE-2022-2586, CVE-2022-2588)
No auth needed
Prerequisites: Local access to the target system · Kernel version vulnerable to the specified CVEs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ASkyeye · poc
https://github.com/ASkyeye/2022-LPE-UAF

This repository contains proof-of-concept exploits for CVE-2022-2585, CVE-2022-2586, and CVE-2022-2588, targeting Linux kernel vulnerabilities for local privilege escalation (LPE) via use-after-free (UAF) and DirtyCred techniques. The exploits demonstrate kernel object manipulation and netfilter table operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific versions affected by CVE-2022-2585, CVE-2022-2586, CVE-2022-2588)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Compilation environment for C code · Kernel debug symbols (for some techniques)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WRITEUP
by ph13b45 · poc
https://gitlab.com/ph13b45/CVE-2022-2588

This repository provides a technical description of CVE-2022-2588, a Linux kernel cls_route UAF vulnerability leading to local privilege escalation. It includes details about the bug's origin, exploitation requirements (CAP_NET_ADMIN), and mitigation steps.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (since v2.6.12-rc2)
Auth required
Prerequisites: CAP_NET_ADMIN capability in any user or network namespace
devstral-2 · analyzed Jun 19, 2026 Full analysis →
gitlab WRITEUP
by nopgadget · poc
https://gitlab.com/nopgadget/CVE-2022-2588

This repository provides a technical description of CVE-2022-2588, a Linux kernel cls_route UAF vulnerability leading to local privilege escalation. It references an external PoC but does not contain functional exploit code itself.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (since v2.6.12-rc2)
Auth required
Prerequisites: CAP_NET_ADMIN capability in any user or network namespace
devstral-2 · analyzed Jun 12, 2026 Full analysis →
nomisec WORKING POC
by Igr1s-red · poc
https://github.com/Igr1s-red/CVE-2022-2588

This repository contains a working exploit for CVE-2022-2588, a Linux kernel vulnerability in the route4_filter linked list handling, leading to a double-free condition. The exploit leverages DirtyCred techniques to manipulate task and file credentials, achieving local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions 3.17 to 5.18
No auth needed
Prerequisites: User Namespaces enabled · CONFIG_NET_CLS_ACT enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by dom4570 · poc
https://github.com/dom4570/CVE-2022-2588

This repository contains a working exploit PoC for CVE-2022-2588, a Linux kernel vulnerability in the route4_filter linked list handling, leading to a double-free and privilege escalation via credential manipulation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel versions 3.17 to 5.18
No auth needed
Prerequisites: User Namespaces enabled · CONFIG_NET_CLS_ACT enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5565-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5562-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5582-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5564-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5566-1
Third Party Advisory, VDB Entry issue-tracking
https://www.zerodayinitiative.com/advisories/ZDI-22-1117/
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5588-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5560-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5567-1
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5560-2
Mailing List, Patch issue-tracking
https://lore.kernel.org/netdev/[email protected]/T/#u
Third Party Advisory third-party-advisory
https://ubuntu.com/security/notices/USN-5557-1

Scores

CVSS v3 5.3
EPSS 0.0686
EPSS Percentile 93.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-415 CWE-416
Status published
Products (6)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 20.04
canonical/ubuntu_linux 22.04
linux/linux_kernel < 4.9.326
Published Jan 08, 2024
Tracked Since Feb 18, 2026