CVE-2023-0045

MEDIUM

Linux Kernel 3.16.68-3.17 - Branch Target Injection via prctl Syscall

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-0045. PoCs published by es0j, ASkyeye.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2023-0045, demonstrating a bypass of Spectre-BTI user space mitigations on Linux. The exploit leverages a timing window where the kernel fails to issue an IBPB immediately during a syscall, leaving processes vulnerable to branch target injection attacks.

Description

The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96

Exploits (2)

nomisec WORKING POC 14 stars

by es0j · poc

https://github.com/es0j/CVE-2023-0045

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-0045, demonstrating a bypass of Spectre-BTI user space mitigations on Linux. The exploit leverages a timing window where the kernel fails to issue an IBPB immediately during a syscall, leaving processes vulnerable to branch target injection attacks.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel 5.15

No auth needed

Prerequisites: Intel CPU with IBRS/IBPB support · Linux kernel with Spectre-BTI mitigations enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by ASkyeye · poc

https://github.com/ASkyeye/CVE-2023-0045

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-0045, demonstrating a Spectre-BTI vulnerability in Linux kernel mitigations. The exploit shows that the kernel fails to issue an IBPB immediately during a syscall, leaving a window for attack.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 5.15

No auth needed

Prerequisites: Access to a vulnerable Linux kernel version · Hardware support for Spectre mitigations

MITRE ATT&CK

T1069 - Permission Groups Discovery T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List, Patch

https://git.kernel.org/tip/a664ec9158eeddd75121d39c9a0758016097fa96

Exploit, Third Party Advisory

https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230714-0001/

Scores

CVSS v3 4.7

EPSS 0.0240

EPSS Percentile 81.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-610

Status published

Products (8)

debian/debian_linux 10.0

linux/linux_kernel 3.16.68 - 3.17

netapp/active_iq_unified_manager

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

Published Apr 25, 2023

Tracked Since Feb 18, 2026