CVE-2023-4911

HIGH KEV RANSOMWARE NUCLEI

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-4911 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 21, 2023, with confirmed use in ransomware campaigns. EIP tracks 24 public exploits from researchers including Beatriz Fresno Naumova, leesh3288, RickdeJager, including a Metasploit module exploits/linux/local/glibc_tunables_priv_esc. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a buffer overflow in glibc's dynamic loader (CVE-2023-4911) to achieve local privilege escalation by corrupting internal loader state and loading a malicious shared object. It patches libc.so.6 with shellcode to spawn a root shell when /usr/bin/su is executed with a crafted environment.

Description

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Exploits (24)

exploitdb WORKING POC
by Beatriz Fresno Naumova · textlocallinux
https://www.exploit-db.com/exploits/52479

This exploit leverages a buffer overflow in glibc's dynamic loader (CVE-2023-4911) to achieve local privilege escalation by corrupting internal loader state and loading a malicious shared object. It patches libc.so.6 with shellcode to spawn a root shell when /usr/bin/su is executed with a crafted environment.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc 2.35 (specifically 2.35-0ubuntu3.3 on Ubuntu 22.04.3 LTS)
No auth needed
Prerequisites: Local access to the target system · Presence of vulnerable glibc version · Ability to execute /usr/bin/su
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 389 stars
by leesh3288 · local
https://github.com/leesh3288/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), leveraging a buffer overflow in glibc's dynamic loader via the GLIBC_TUNABLES environment variable. The exploit crafts malicious environment variables to achieve arbitrary code execution by overwriting critical structures in memory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc (2.35-0ubuntu3.3)
No auth needed
Prerequisites: Ubuntu 22.04.3 with vulnerable glibc version · Ability to execute arbitrary binaries with crafted environment variables
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 171 stars
by RickdeJager · local
https://github.com/RickdeJager/CVE-2023-4911

This repository contains a functional proof-of-concept exploit for CVE-2023-4911, a local privilege escalation vulnerability in glibc's dynamic loader. The exploit leverages a buffer overflow in the processing of GLIBC_TUNABLES environment variables to achieve arbitrary code execution with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc (dynamic loader ld.so)
No auth needed
Prerequisites: Access to a vulnerable system (e.g., Ubuntu 22.10) · Ability to compile and execute the exploit
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 42 stars
by chaudharyarjun · local
https://github.com/chaudharyarjun/LooneyPwner

This repository contains a functional exploit for CVE-2023-4911, targeting the 'Looney Tunables' buffer overflow vulnerability in glibc. The exploit modifies the glibc library to inject shellcode and escalate privileges to root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc versions >= 2.34
No auth needed
Prerequisites: Vulnerable glibc version · Access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 29 stars
by hadrian3689 · local
https://github.com/hadrian3689/looney-tunables-CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), leveraging a buffer overflow in glibc's dynamic loader via the GLIBC_TUNABLES environment variable. The exploit manipulates memory to achieve arbitrary code execution by injecting shellcode into a forged libc.so.6.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc (versions affected by CVE-2023-4911)
No auth needed
Prerequisites: Vulnerable glibc version · Ability to execute code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 20 stars
by flex0geek · cpoc
https://github.com/flex0geek/cves-exploits/tree/main/CVE-2023-4911

The repository contains a functional exploit for CVE-2023-4911, demonstrating a heap-based buffer overflow in sudo. The exploit leverages a crafted environment variable to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: sudo (specific version not specified)
No auth needed
Prerequisites: vulnerable sudo version · ability to execute the exploit binary
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 17 stars
by ruycr4ft · local
https://github.com/ruycr4ft/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), a Linux privilege escalation vulnerability in glibc. The exploit leverages a buffer overflow in the GLIBC_TUNABLES environment variable parsing to achieve arbitrary code execution with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: glibc (versions 2.35-0ubuntu3.3 and below)
No auth needed
Prerequisites: Vulnerable glibc version · Ability to execute code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 15 stars
by KernelKrise · local
https://github.com/KernelKrise/CVE-2023-4911

This repository provides a detailed technical analysis of CVE-2023-4911, a local privilege escalation vulnerability in the GNU C Library's dynamic loader (ld.so) due to improper handling of the GLIBC_TUNABLES environment variable. The README includes a thorough breakdown of the vulnerability, affected code paths, and references to external resources for further study.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) ld.so
No auth needed
Prerequisites: Access to a vulnerable system with glibc version affected by CVE-2023-4911
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 15 stars
by Green-Avocado · local
https://github.com/Green-Avocado/CVE-2023-4911

This repository contains a functional proof-of-concept exploit for CVE-2023-4911, a local privilege escalation vulnerability in glibc's dynamic loader. The exploit leverages the Looney Tunables vulnerability to achieve arbitrary code execution by manipulating environment variables and heap grooming techniques.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: glibc (2.35-0ubuntu3.1) on Ubuntu 22.04
No auth needed
Prerequisites: Access to a vulnerable system with glibc 2.35-0ubuntu3.1 · Ability to execute the compiled binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 9 stars
by Diego-AltF4 · local
https://github.com/Diego-AltF4/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), a local privilege escalation vulnerability in glibc's dynamic loader. The exploit manipulates environment variables to achieve arbitrary code execution with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: glibc (2.35-0ubuntu3.1)
No auth needed
Prerequisites: Access to a vulnerable system with glibc 2.35-0ubuntu3.1 · Ability to execute binaries on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by NishanthAnand21 · local
https://github.com/NishanthAnand21/CVE-2023-4911-PoC

This repository contains a functional exploit for CVE-2023-4911, a buffer overflow in the GNU C Library's dynamic loader (glibc) that allows local privilege escalation. The exploit leverages the GLIBC_TUNABLES environment variable to trigger the vulnerability and gain root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: GNU C Library (glibc) versions 2.34 and later
No auth needed
Prerequisites: Vulnerable glibc version (2.34+) · Local access to the target system · ASLR enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by puckiestyle · local
https://github.com/puckiestyle/CVE-2023-4911

This repository contains a functional proof-of-concept exploit for CVE-2023-4911 (Looney Tunables), a local privilege escalation vulnerability in glibc's ld.so. The exploit leverages a buffer overflow in the GLIBC_TUNABLES environment variable to achieve arbitrary code execution with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc ld.so (Ubuntu 22.10 confirmed)
No auth needed
Prerequisites: Local access to a vulnerable system · Compilation of the exploit code
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by teraGL · local
https://github.com/teraGL/looneyCVE

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), a buffer overflow in glibc's dynamic loader. The exploit manipulates environment variables to trigger a buffer overflow, leading to arbitrary code execution via a forged libc.so.6 with embedded shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc (versions affected by CVE-2023-4911)
No auth needed
Prerequisites: Vulnerable glibc version · Ability to execute commands on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xiaoQ1z · local
https://github.com/xiaoQ1z/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911, a local privilege escalation vulnerability in glibc's dynamic loader. The exploit leverages a buffer overflow in the GLIBC_TUNABLES environment variable parsing to achieve arbitrary code execution with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: glibc (ld.so) on Linux systems
No auth needed
Prerequisites: Local access to a vulnerable Linux system with glibc · Ability to execute binaries
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 0xMOGA · poc
https://github.com/0xMOGA/CVE-2023-4911-Lab

This repository provides a Docker-based environment for analyzing and exploiting CVE-2023-4911 (Looney Tunables), a buffer overflow in glibc's dynamic loader (ld.so) leading to local privilege escalation. It includes functional exploit code, test binaries, and detailed analysis tools.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) 2.34-2.38
No auth needed
Prerequisites: Docker · Linux or WSL2
devstral-2 · analyzed Apr 12, 2026 Full analysis →
nomisec WORKING POC
by Aryan20057 · local
https://github.com/Aryan20057/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911, targeting a buffer overflow in the GNU C Library's dynamic loader. The exploit manipulates environment variables to trigger the vulnerability and achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: GNU C Library (glibc) dynamic loader
No auth needed
Prerequisites: Access to a vulnerable system with glibc dynamic loader · Ability to execute the exploit binary
devstral-2 · analyzed Mar 02, 2026 Full analysis →
gitlab WORKING POC
by mdelaclaire · poc
https://gitlab.com/mdelaclaire/LooneyPwner

This repository contains a functional exploit for CVE-2023-4911, the 'Looney Tunables' glibc vulnerability, which allows local privilege escalation (LPE) to root. The exploit modifies the glibc library and leverages a buffer overflow in environment variable processing to execute arbitrary code with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: glibc (versions >= 2.34)
No auth needed
Prerequisites: local access to a vulnerable system · glibc version >= 2.34 · compilation tools (gcc) · Python 3 with pwntools
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by KillReal01 · local
https://github.com/KillReal01/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), a Linux privilege escalation vulnerability in glibc. The exploit leverages a buffer overflow in the GLIBC_TUNABLES environment variable parsing to achieve arbitrary code execution with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: glibc (versions 2.35-0ubuntu3.3 and below)
No auth needed
Prerequisites: Vulnerable glibc version · Ability to execute code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Billar42 · local
https://github.com/Billar42/CVE-2023-4911

This repository contains a functional exploit for CVE-2023-4911, targeting the Looney Tunables vulnerability in glibc's dynamic loader. The exploit manipulates environment variables to achieve arbitrary code execution via buffer overflow in the dynamic linker.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: glibc dynamic loader (ld.so)
No auth needed
Prerequisites: Vulnerable glibc version · SUID binary or similar execution context
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by snurkeburk · local
https://github.com/snurkeburk/Looney-Tunables

This PoC exploits CVE-2023-4911 (Looney Tunables) by manipulating the GLIBC_TUNABLES environment variable to trigger a buffer overflow in the dynamic loader, leading to arbitrary code execution. The exploit uses carefully crafted environment variables and a fork bomb to maximize the chance of successful exploitation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: GNU C Library (glibc) dynamic loader (ld.so)
No auth needed
Prerequisites: Access to a vulnerable system with glibc version affected by CVE-2023-4911 · Ability to execute arbitrary binaries with a crafted environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by guffre · local
https://github.com/guffre/CVE-2023-4911

This repository contains a functional Python-based exploit for CVE-2023-4911 (Looney Tunables), which leverages a buffer overflow in the glibc dynamic loader's GLIBC_TUNABLES environment variable parsing. The exploit crafts a malicious environment to achieve local privilege escalation by overwriting the DT_RPATH entry in the link_map structure.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: glibc (2.35-0ubuntu3.1 on Ubuntu 22.04.3)
No auth needed
Prerequisites: Access to a vulnerable system with glibc 2.35-0ubuntu3.1 · Ability to execute the exploit locally
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by silent6trinity · local
https://github.com/silent6trinity/looney-tuneables

This repository contains a functional exploit for CVE-2023-4911, leveraging a buffer overflow in the GLIBC_TUNABLES environment variable to achieve local privilege escalation (LPE). The exploit modifies the libc.so.6 file to inject shellcode and repeatedly forks processes to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: GNU C Library (glibc) versions affected by CVE-2023-4911
No auth needed
Prerequisites: Access to a vulnerable system with glibc affected by CVE-2023-4911 · Ability to execute the exploit script
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/b4k3d/POC_CVE4911

This repository contains a functional exploit for CVE-2023-4911 (Looney Tunables), targeting a buffer overflow in glibc's dynamic loader. The exploit manipulates the GLIBC_TUNABLES environment variable to achieve arbitrary code execution via a crafted libc.so.6.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: glibc (2.35-0ubuntu3.3)
No auth needed
Prerequisites: Ubuntu 22.04.3 with vulnerable glibc version · ability to execute the exploit binary
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Qualys Threat Research Unit, blasty <[email protected]>, jheysel-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/glibc_tunables_priv_esc.rb

This Metasploit module exploits CVE-2023-4911, a buffer overflow in the GNU C Library's dynamic loader (ld.so) via the GLIBC_TUNABLES environment variable, allowing local privilege escalation to root on vulnerable Ubuntu and Debian systems.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) versions 2.31-2.38 on Ubuntu/Debian
No auth needed
Prerequisites: Local access to a vulnerable system · Presence of SUID binaries · Specific glibc versions on Ubuntu/Debian
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Looney Tunables Linux - Local Privilege Escalation
HIGHby nybble04

References (30)

Core 30
Core References
Exploit, Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Oct/11
Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/52479
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:5453
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:5454
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:5455
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:5476
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:0033
Third Party Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-4911
Issue Tracking, Patch issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2238352

Scores

CVSS v3 7.8
EPSS 0.7861
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-11-21
VulnCheck KEV 2023-11-03
InTheWild.io 2023-11-03
ENISA EUVD EUVD-2023-54750
Ransomware Use Confirmed
CWE
CWE-122 CWE-787
Status published
Products (50)
canonical/ubuntu_linux 22.04
canonical/ubuntu_linux 23.04
debian/debian_linux 11.0
debian/debian_linux 12.0
fedoraproject/fedora 37
fedoraproject/fedora 38
fedoraproject/fedora 39
gnu/glibc 2.34 - 2.39
netapp/bootstrap_os
netapp/h300s_firmware
... and 40 more
Published Oct 03, 2023
KEV Added Nov 21, 2023
Tracked Since Feb 18, 2026