Privilege Escalation · Term

What is a Linux kernel exploit?

A kernel exploit attacks a bug in the Linux kernel itself to jump straight to root, no misconfiguration needed. DirtyCow, PwnKit, and Dirty Pipe are famous examples. Here is what kernel exploits are and how to defend against them.

Privilege Escalation · TermAll services
TL;DR

A Linux kernel exploit is privilege escalation that abuses a vulnerability in the kernel (or a core system component) to gain root directly, regardless of how well the system is otherwise configured. Because the kernel runs with the highest privilege, a successful exploit grants full control. Famous examples include Dirty COW (CVE-2016-5195), PwnKit (CVE-2021-4034), and Dirty Pipe (CVE-2022-0847). The defence is straightforward but operationally hard: keep the kernel patched.

By John Dill, Red Team Lead, SecureLayer7Updated

What a kernel exploit is

The kernel is the core of Linux and runs with complete control of the machine. A kernel exploit is a program that triggers a bug in the kernel (or a tightly integrated component like polkit) to execute code or change privileges at that highest level.

Unlike misconfiguration-based escalation, a kernel exploit does not need a weak permission or a careless rule. If the kernel is vulnerable and unpatched, the exploit works on its own.

The abuse and payload

The attacker checks the kernel version, finds a matching public exploit, and runs it:

  • Check the version and OS: uname -a and cat /etc/os-release
  • Match against known vulnerabilities (for example Dirty Pipe affects certain 5.8 to 5.16 kernels).
  • Compile and run the exploit: gcc exploit.c -o exploit && ./exploit, which typically drops a root shell.
  • Examples: Dirty COW, PwnKit (a polkit pkexec bug exploited even without source on many distros), Dirty Pipe.

Kernel exploits can crash systems, so testers use them carefully. Shown for defensive context.

How to defend

  • Patch the kernel and core packages promptly; this is the primary defence.
  • Track your kernel version against known privilege-escalation CVEs.
  • Use live-patching where available to reduce reboot delay.
  • Apply defence in depth (least privilege, monitoring) so a foothold is harder to get in the first place.
  • Retire end-of-life kernels and distributions that no longer receive security updates.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: setuid(2)(man7.org)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.