CVE-2024-14027

ANALYSIS PENDING

Linux Kernel 6.11-6.12.76 - Unprivileged Local Denial of Service via fremovexattr Error Path File Reference Leak

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-14027. PoCs published by lcfr-eth.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2024-14027, a Linux kernel vulnerability in `fs/xattr.c` that allows local privilege escalation via a refcount overflow in `fremovexattr`. The exploits demonstrate leaking `/etc/shadow` and achieving a root shell through a double-close technique.

Description

In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").

Exploits (1)

nomisec WORKING POC

by lcfr-eth · poc

https://github.com/lcfr-eth/CVE-2024-14027_slop

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2024-14027, a Linux kernel vulnerability in `fs/xattr.c` that allows local privilege escalation via a refcount overflow in `fremovexattr`. The exploits demonstrate leaking `/etc/shadow` and achieving a root shell through a double-close technique.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel 6.6.51 (i386)

No auth needed

Prerequisites: 32-bit Linux kernel (6.6.51) · shared fd table via `clone(CLONE_FILES)` · SUID process (`passwd`) to reclaim freed `struct file`

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 14, 2026 Full analysis →

References (4)

Core 4

Core References

https://git.kernel.org/stable/c/5a1e865e51063d6c56f673ec8ad4b6604321b455

https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157

Vendor Advisory

https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da

Vendor Advisory

https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08

Scores

EPSS 0.0001

EPSS Percentile 3.0%

Details

Status published

Products (15)

linux/Kernel 6.11.0 - 6.12.77linux

Linux/Linux < 6.11

Linux/Linux 6.10.10 - 6.11

Linux/Linux 6.11

Linux/Linux 6.12.77 - 6.12.*

Linux/Linux 6.13

Linux/Linux 6.6.131 - 6.6.*

Linux/Linux 6.6.133 - 6.6.*

Linux/Linux 6.6.51 - 6.6.133

Linux/Linux 8d5863cb33aa424fc27115ee945ad6b96ae2facb

... and 5 more

Published Mar 09, 2026

Tracked Since Mar 09, 2026