CVE-2022-34918: Netfilter nft_set_elem_init Heap Overflow Privilege Escalation

Exploitation Summary

CVE-2022-34918 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including randorisec, veritas501, merlinepedra, including a Metasploit module exploits/linux/local/netfilter_nft_set_elem_init_privesc.

AI-analyzed exploit summary This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting the Linux kernel (specifically Ubuntu 5.15.0-39-generic). The exploit leverages heap spraying and keyring manipulation to achieve privilege escalation, with detailed implementation in C.

Description

An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

Exploits (6)

nomisec WORKING POC 245 stars

by randorisec · local

https://github.com/randorisec/CVE-2022-34918-LPE-PoC

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting the Linux kernel (specifically Ubuntu 5.15.0-39-generic). The exploit leverages heap spraying and keyring manipulation to achieve privilege escalation, with detailed implementation in C.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15.0-39-generic

No auth needed

Prerequisites: Access to a vulnerable Linux kernel version · Ability to compile and execute the exploit locally

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 219 stars

by veritas501 · local

https://github.com/veritas501/CVE-2022-34918

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting a vulnerability in the Linux kernel's netfilter subsystem. The exploit leverages the USMA technique to achieve privilege escalation and namespace escape, with detailed shellcode generation and kernel memory manipulation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (netfilter subsystem)

No auth needed

Prerequisites: Linux kernel with vulnerable netfilter subsystem · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by merlinepedra · poc

https://github.com/merlinepedra/CVE-2022-34918-LPE-PoC

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting Linux kernel 5.15.0-39-generic. The exploit leverages heap spraying and netfilter set manipulation to achieve arbitrary write primitives and escalate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15.0-39-generic

No auth needed

Prerequisites: Access to a vulnerable Linux kernel (5.15.0-39-generic) · CAP_NET_ADMIN capability

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by merlinepedra25 · poc

https://github.com/merlinepedra25/CVE-2022-34918-LPE-PoC

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting Linux kernel 5.15.0-39-generic. The exploit leverages heap spraying and netfilter set manipulation to achieve arbitrary write primitives and escalate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15.0-39-generic

No auth needed

Prerequisites: Unprivileged user access · Kernel version 5.15.0-39-generic

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by linulinu · poc

https://github.com/linulinu/CVE-2022-34918

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2022-34918, targeting Linux kernel 5.15.0-39-generic. The exploit leverages heap spraying and netfilter set manipulation to achieve arbitrary write primitives and ultimately gain root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15.0-39-generic

No auth needed

Prerequisites: Access to a vulnerable Linux kernel (5.15.0-39-generic) · CAP_NET_ADMIN capability

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb

View Code ZIP pw:eip

This Metasploit module exploits a type confusion bug in the Linux kernel's nft_set_elem_init function (CVE-2022-34918) to achieve local privilege escalation. It leverages a heap overflow to escalate privileges from an unprivileged user namespace with CAP_NET_ADMIN access to root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Linux kernel through 5.18.9

No auth needed

Prerequisites: Unprivileged user namespace with CAP_NET_ADMIN access · Kernel version 5.7 to 5.18.9 · CONFIG_USER_NS enabled · x86_64 architecture

MITRE ATT&CK