EIP-2026-102897

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-102897. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a race condition in the Linux kernel's perf_event_open() function to bypass ptrace_may_access() checks, allowing local attackers to leak sensitive data from setuid programs via performance event monitoring. The PoC demonstrates leaking getpid() results and partial /etc/shadow entries.

Description

Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocallinux

https://www.exploit-db.com/exploits/39771

View Code ZIP pw:eip

This exploit leverages a race condition in the Linux kernel's perf_event_open() function to bypass ptrace_may_access() checks, allowing local attackers to leak sensitive data from setuid programs via performance event monitoring. The PoC demonstrates leaking getpid() results and partial /etc/shadow entries.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Racy

Target: Linux kernel (versions before fix commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438)

No auth needed

Prerequisites: Local access to the system · Ability to execute setuid binaries

MITRE ATT&CK

T1069 - Permission Groups Discovery T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)

Exploitation Summary

Description

Exploits (1)

Details