CVE-2022-32250

Exploitation Summary

EIP tracks 11 public exploits for CVE-2022-32250. PoCs published by theori-io, ysanatomic, seadragnol.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-32250, a Linux kernel local privilege escalation vulnerability caused by a use-after-free in the NFT_STATEFUL_EXPR check. The exploit leverages mqueue and keyring manipulation to achieve root privileges.

Description

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

Exploits (11)

nomisec WORKING POC 177 stars

by theori-io · poc

https://github.com/theori-io/CVE-2022-32250-exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, a Linux kernel local privilege escalation vulnerability caused by a use-after-free in the NFT_STATEFUL_EXPR check. The exploit leverages mqueue and keyring manipulation to achieve root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel before commit 520778042ccca019f3ffa136dd0ca565c486cedd (26 May 2022)

Auth required

Prerequisites: Local user access · Ubuntu 22.04 or similar environment with vulnerable kernel

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 9 stars

by ysanatomic · poc

https://github.com/ysanatomic/CVE-2022-32250-LPE

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-32250, a Use-After-Free vulnerability in the Linux kernel's netfilter subsystem. The exploit demonstrates heap leaking, KASLR bypass, and modprobe_path overwrite to achieve root privileges on vulnerable systems.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (netfilter/nf_tables) versions affected by CVE-2022-32250

No auth needed

Prerequisites: Local access to a vulnerable Linux system · Kernel version affected by CVE-2022-32250 · libmnl and libnftnl libraries for compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by seadragnol · poc

https://github.com/seadragnol/CVE-2022-32250

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, a use-after-free vulnerability in the nf_tables subsystem of the Linux kernel. The exploit leverages the vulnerability to achieve local privilege escalation by manipulating netfilter sets and spraying kernel memory.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel 5.13 (nf_tables subsystem)

No auth needed

Prerequisites: Linux kernel 5.13 with nf_tables enabled · libmnl and libnftnl libraries installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by g3un · poc

https://github.com/g3un/cve-2022-32250

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, a Linux kernel vulnerability in nftables. It includes a Dockerized environment with a vulnerable kernel (5.15.44), a custom root filesystem, and an exploit that manipulates netfilter rules via netlink sockets and message queues to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15.44 with nftables

No auth needed

Prerequisites: Linux kernel 5.15.44 with nftables enabled · User namespace support · Netfilter/netlink access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1611 - Escape to Host

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by LSinus · poc

https://github.com/LSinus/CacheMeIfYouCan

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, targeting a Linux kernel vulnerability. It includes GDB scripts for memory analysis, kernel module code, and an exploit binary designed to achieve local privilege escalation (LPE).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (specific version not explicitly stated)

No auth needed

Prerequisites: Linux kernel with CVE-2022-32250 vulnerability · GDB for debugging scripts · kernel module compilation environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 06, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Kristal-g · poc

https://github.com/Kristal-g/CVE-2022-32250

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, a Linux kernel vulnerability in the nf_tables subsystem. The exploit leverages netlink messages to manipulate kernel memory and achieve privilege escalation via a ROP chain.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific version not specified, but likely 5.18.x or similar)

No auth needed

Prerequisites: Linux system with vulnerable kernel · Compilation dependencies (libmnl, libnftnl)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec NO CODE 1 stars

by Decstor5 · poc

https://github.com/Decstor5/2022-32250LPE

View Code ZIP pw:eip

nomisec WORKING POC

by Theori-lO · poc

https://github.com/Theori-lO/CVE-2022-32250-exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-32250, a Linux kernel local privilege escalation vulnerability caused by a use-after-free in the NFT_STATEFUL_EXPR check. The exploit leverages keyring manipulation and message queue spraying to achieve arbitrary memory corruption and privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel before commit 520778042ccca019f3ffa136dd0ca565c486cedd (26 May 2022)

Auth required

Prerequisites: Local user access · Linux kernel version before the patch · Compilation with libmnl and libnftnl

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 30, 2026 Full analysis →

nomisec NO CODE

by Noidolosity · poc

https://github.com/Noidolosity/CVE-2022-32250

View Code ZIP pw:eip

nomisec NO CODE

by rem0t3 · poc

https://github.com/rem0t3/CVE-2022-32250-Compiled

View Code ZIP pw:eip

nomisec WRITEUP

by KuanKuanQAQ · poc

https://github.com/KuanKuanQAQ/cve-testing

View Code ZIP pw:eip

The repository contains documentation and scripts related to Linux kernel ABI, ATA over Ethernet (AoE), and other kernel features. No exploit code or offensive techniques are present.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Linux kernel documentation

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →