Security Experts:

Connect with us

Hi, what are you looking for?



“Dirty COW” Linux Kernel Exploit Seen in the Wild

A new Linux kernel vulnerability disclosed on Wednesday allows an unprivileged local attacker to escalate their privileges on a targeted system. Red Hat said it was aware of an exploit in the wild.

A new Linux kernel vulnerability disclosed on Wednesday allows an unprivileged local attacker to escalate their privileges on a targeted system. Red Hat said it was aware of an exploit in the wild.

The vulnerability, discovered by Phil Oester, was sarcastically dubbed by some people “Dirty COW” due to the fact that it’s caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

The security hole, tracked as CVE-2016-5195, allows local attackers to escalate their privileges on the targeted system by modifying existing setuid files, Red Had said in its advisory.

“An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system,” the company explained.

Red Hat, which classified the flaw as “important,” said it was aware of an exploit leveraging this technique in the wild, but the company has not shared any other information. A fix has already been developed and Linux distributions have started releasing updates.

An increasing number of vulnerabilities have been branded since the discovery of Heartbleed. While some believe that branding a flaw could have a positive impact, others are concerned that branding even low-risk issues could lead to companies ignoring the vulnerabilities that really matter.

The people who created the Dirty COW website, logo and Twitter account have admitted that this vulnerability is not as serious as others and they claim to have branded it to make fun of branded flaws. They even created a shop that sells “Dirty COW” mugs and t-shirts for thousands of dollars.

Linux Kernel Vulnerabilities

Google security researcher Kees Cook has analyzed the Linux kernel vulnerabilities discovered since 2011 in an effort to determine for how long they go unnoticed after they are introduced in a Linux release.

Based on the analysis of 557 CVE identifiers assigned to Linux kernel flaws since 2011, Cook determined that their average lifespan is roughly 5 years. According to the expert, high severity issues are fixed after 6.4 years, while critical issues are discovered, on average, after 3.3 years.

Related: Ubuntu Patches Several Kernel Vulnerabilities

Related: Linux Kernel Flaw Puts Millions of Devices at Risk

Related: Linux Kernel Flaw Exposes Most Android Devices to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet