CVE-2016-5195: Linux kernel local privilege escalation vulnerability Dirty COW

dirty-cowA very serious security problem has been found in the Linux kernel, it’s a 0-day local privilege escalation vulnerability, which has existed for eleven years since 2005 ( since Linux kernel version 2.6.22+ ). This bug affects all sort of of Android or Linux kernel to escalate privileges. Any users can become root in seconds.

This bug is named as Dirty COW (CVE-2016-5195). Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.

What is CVE-2016-5195 “Dirty COW” bug?

From the project site:

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Here is A list of affected Linux distros (including VMs and containers that share the same kernel)

  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.x
  • CentOS Linux 7.x
  • CentOS Linux 6.x
  • CentOS Linux 5.x
  • Debian Linux wheezy
  • Debian Linux jessie
  • Debian Linux stretch
  • Debian Linux sid
  • Ubuntu Linux precise (LTS 12.04)
  • Ubuntu Linux trusty
  • Ubuntu Linux xenial (LTS 16.04)
  • Ubuntu Linux yakkety
  • Ubuntu Linux vivid/ubuntu-core
  • SUSE Linux Enterprise 11 and 12.
  • Openwrt

How can I verify CVE-2016-5195 on Linux?

For RHEL/CentOS Linux, use the following script:

$ wget
$ bash
Your kernel is 3.10.0-123.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at .

For all other distributions, try to run the proof of concept exploit code. Follow these steps,

$ wget
$ gcc -lpthread dirtyc0w.c -o dirtyc0w

Then let’s create a file with privileged permission:

$ echo this is indeed a test | sudo tee
$ cat
this is indeed a test

Now let’s start the exploitation. Run the command as normal user:

$ ./dirtyc0w m00000000000000000
mmap 7f45f50bd000

madvise 0

procselfmem 1800000000

Now if exploit successfully, the file we created with privileged permission should have been overwritten, as below:

$ cat

How to fix CVE-2016-5195 on Linux?

To upgrade the kernel, and don’t forget to commit a reboot. When you finished system updating, you can run the script to confirm everything is fine.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.