CVE-2023-2598

HIGH

Linux Kernel 6.3-6.3.2 - Use-After-Free in io_uring Buffer Registration

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2023-2598. PoCs published by ysanatomic, SpongeBob-369, LLfam.

AI-analyzed exploit summary This repository contains a functional local privilege escalation (LPE) exploit for CVE-2023-2598, leveraging a vulnerability in the Linux kernel's io_uring subsystem. The exploit uses memory corruption techniques to leak kernel addresses and achieve arbitrary code execution in kernel mode.

Description

A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.

Exploits (5)

nomisec WORKING POC 92 stars

by ysanatomic · poc

https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2023-2598, leveraging a vulnerability in the Linux kernel's io_uring subsystem. The exploit uses memory corruption techniques to leak kernel addresses and achieve arbitrary code execution in kernel mode.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2023-2598)

No auth needed

Prerequisites: Linux system with vulnerable kernel · io_uring support enabled · Local user access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 3 stars

by SpongeBob-369 · poc

https://github.com/SpongeBob-369/CVE-2023-2598

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2023-2598, a vulnerability in the Linux kernel's io_uring subsystem. The writeup explains the logical bug in the `io_sqe_buffer_register` function, where the folio coalescing logic fails to check for consecutive pages, leading to potential exploitation.

Classification

Writeup 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: Linux Kernel (io_uring subsystem)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel with io_uring enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by LLfam · poc

https://github.com/LLfam/CVE-2023-2598

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-2598, leveraging io_uring and memory manipulation techniques to achieve privilege escalation. The code demonstrates detailed knowledge of kernel structures and offsets, indicating a well-researched and operational PoC.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable Linux kernel · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by guard-wait · poc

https://github.com/guard-wait/CVE-2023-2598_EXP

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-2598, leveraging io_uring to achieve arbitrary memory write primitives, which are then used to spray heap and manipulate file structures (e.g., /etc/passwd). The exploit is written in C and targets the Linux kernel's io_uring subsystem.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel (io_uring subsystem)

No auth needed

Prerequisites: Linux kernel with vulnerable io_uring implementation · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by cainiao159357 · poc

https://github.com/cainiao159357/CVE-2023-2598

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-2598, leveraging a vulnerability in io_uring's handling of compound pages to achieve local privilege escalation (LPE) by manipulating the `cred` structure. The exploit includes detailed technical analysis of the vulnerability, including the misuse of `page_folio()` and the resulting out-of-bounds read/write.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (io_uring subsystem)

No auth needed

Prerequisites: Linux kernel with io_uring support · Vulnerable kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230703-0006/

Mailing List, Third Party Advisory

https://www.openwall.com/lists/oss-security/2023/05/08/3

Mailing List mailing-list

http://www.openwall.com/lists/oss-security/2024/04/24/3

Scores

CVSS v3 7.8

EPSS 0.0137

EPSS Percentile 68.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416 CWE-787

Status published

Products (6)

linux/linux_kernel 6.3 - 6.3.2

netapp/hci_baseboard_management_controller h300s

netapp/hci_baseboard_management_controller h410c

netapp/hci_baseboard_management_controller h410s

netapp/hci_baseboard_management_controller h500s

netapp/hci_baseboard_management_controller h700s

Published Jun 01, 2023

Tracked Since Feb 18, 2026