CVE-2023-3640

HIGH

Linux Kernel - Unauthorized Memory Access via Per-CPU Entry Area Mapping

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-3640. PoCs published by pray77.

AI-analyzed exploit summary This repository contains a working exploit PoC for CVE-2023-3640, targeting a Linux kernel vulnerability. The exploit leverages hardware breakpoints and per CPU entry area mapping to achieve privilege escalation via a ROP chain.

Description

A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.

Exploits (1)

nomisec WORKING POC 29 stars
by pray77 · poc
https://github.com/pray77/CVE-2023-3640

This repository contains a working exploit PoC for CVE-2023-3640, targeting a Linux kernel vulnerability. The exploit leverages hardware breakpoints and per CPU entry area mapping to achieve privilege escalation via a ROP chain.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (versions before 6.2 with specific configurations)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel version · Ability to run code on the target system · Specific CPU configurations (e.g., KVM enabled)
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-3640
Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2217523
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:6583

Scores

CVSS v3 7.0
EPSS 0.0076
EPSS Percentile 51.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-203 CWE-385
Status published
Products (8)
linux/linux_kernel
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
Red Hat/Red Hat Enterprise Linux 9 0:5.14.0-362.8.1.el9_3
redhat/enterprise_linux 8.0
redhat/enterprise_linux 9.0
Published Jul 24, 2023
Tracked Since Feb 18, 2026