Privilege Escalation via Race Condition in Linux Kernel AF_PACKET (CVE-2016-8655)
CVE-2016-8655 is a race condition vulnerability in the Linux kernel's AF_PACKET implementation (net/packet/af_packet.c) affecting versions through 4.8.12. The flaw arises from improper locking in the packet_set_ring and packet_setsockopt functions, leading to a use-after-free condition when changing a socket version. Local attackers with CAP_NET_RAW capability can exploit this to gain arbitrary kernel memory write, bypassing KASLR and SMEP (but not SMAP), and ultimately escalate privileges to root. The vulnerability is particularly exploitable on systems with unprivileged namespaces enabled, such as Ubuntu and Fedora, and can be triggered from within containers to compromise the host kernel. The issue was introduced in August 2011 and fixed in November 2016.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository contains a local privilege escalation exploit for CVE-2016-8655, targeting a race condition in the Linux kernel's AF_PACKET implementation. The main file, 'CVE-2016-8655.c', is a C program that exploits this vulnerability to gain root privileges on affected systems. The exploit is specifically tailored for Ubuntu 16.04 x86_64 with kernel versions 4.4.0-36-generic, 4.4.0-47-generic, and 4.4.0-51-generic, but includes offsets for other kernel versions (though these are untested and may crash the system). The exploit works by manipulating kernel memory and sysctl tables via a race condition, ultimately allowing the attacker to execute code as root. Upon successful exploitation, the binary sets itself as SUID root and spawns a root shell by executing /bin/bash. The repository also includes a README.md with usage instructions and background information. No network endpoints are involved; the attack vector is purely local, requiring execution on the target machine.
This repository is a comprehensive exploit toolkit targeting the CVE-2016-5195 (Dirty COW) vulnerability and related race conditions in the Linux kernel, specifically as implemented in the Android goldfish 3.4 emulator kernel and similar devices (e.g., Moto G4/harpia). The structure is modular, with directories for different device targets (goldfish, harpia, rabit_hole) and supporting kernel modules (mod_exploit, mod_nop). The main exploit logic is implemented in C, with Makefiles for cross-compilation to ARM/Android. The exploit works by leveraging a race condition in AF_PACKET socket handling to achieve arbitrary kernel code execution. The payload is injected via a kernel module and demonstrated by writing to the kernel tracing buffer. The repository includes scripts and binaries for deploying and running the exploit on an Android device or emulator. The attack vector is local privilege escalation, requiring code execution on the target device. The exploit is operational and can be adapted for full privilege escalation or other kernel-level attacks. Notable endpoints include /sys/kernel/debug/tracing/trace, /proc/self/pagemap, and local socket connections to 127.0.0.1. The codebase is large and well-structured, with clear separation between device-specific and generic exploit components.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.