BIPI
BIPI

Linux Kernel Exploits in 2024-2025: Dirty Pipe, OverlayFS, nf_tables

Cybersecurity

A field guide to the Linux kernel exploits operators actually use today, how to identify whether a target is vulnerable, and the patches that close them.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 20, 2025 · 11 min read

#linux#kernel#cve-2022-0847#cve-2023-32233#privesc

Kernel exploits are the last resort

Burning a kernel exploit on an engagement is loud, fragile, and sometimes panics the box. Reach for them only after sudo, SUID, capabilities, cron, and PATH have all come up dry. When you do reach, here are the ones that have aged best.

Identifying the kernel

  • uname -r for the running kernel version
  • cat /proc/version for build tags and compiler version
  • dpkg -l linux-image-* or rpm -qa kernel-* for the installed package
  • ls /lib/modules to see installed kernel module trees
  • linux-exploit-suggester-2 to map version to candidate CVEs

CVE-2022-0847 Dirty Pipe

Pipe page cache flag mismanagement on kernels 5.8 through 5.16.11, fixed in 5.16.11, 5.15.25, and 5.10.102. Lets an unprivileged user overwrite data in read only files. Classic exploit overwrites /etc/passwd or a SUID binary. Stable, fast, no kernel panic.

CVE-2021-3493 OverlayFS

Ubuntu specific OverlayFS bug that lets a user mount a crafted overlay and gain root via file capability copy. Affects Ubuntu 14.04 through 21.04 on the Ubuntu kernel. Public exploit is reliable and works inside containers with user namespaces enabled.

CVE-2023-32233 nf_tables

Use after free in the netfilter nf_tables subsystem on kernels 5.x through 6.3.x. Requires CAP_NET_ADMIN, which is the default inside unprivileged user namespaces on many distros. Public PoC reads and writes kernel memory and pops a root shell.

CVE-2023-3269 StackRot

Use after free in the maple tree memory management code on kernels 6.1 through 6.4. Researcher PoC is intricate but reliable. Patched in 6.4.3 and later 6.1.x backports. Watch for unpatched RHEL 9.2 and Debian 12 systems.

CVE-2021-4034 PwnKit

  • Polkit pkexec argument parsing flaw, not technically kernel but always grouped here
  • Affects almost every Linux distro before late January 2022
  • pkexec is SUID root, unprivileged users get instant root
  • Public PoC is two C files, compiles anywhere
  • Patched broadly, but unpatched embedded and air gapped systems still exist

Container escapes that pair with kernel bugs

  • CVE-2022-0492 cgroup v1 release_agent escape, fixed February 2022
  • CVE-2022-0185 fsconfig integer underflow, container escape with user namespaces
  • Dirty Pipe inside a container can overwrite host files when layers overlap

Detection and hardening

  • Pin kernel versions and patch monthly, prioritize hosts with user namespaces enabled
  • Disable unprivileged user namespaces where possible, kernel.unprivileged_userns_clone=0
  • Mount /proc with hidepid=2 to hide other users processes
  • Falco kernel module rules on unusual capset and mount syscalls
  • auditd on bpf and io_uring syscalls, both have been exploit primitives recently
A kernel exploit shop with five reliable bugs across the last four years is doing better than most. Keep your list short and tested.

Operator hygiene

Maintain a private repo of compiled exploits with notes on tested kernels, distros, and reliability. The two minutes saved at the prompt are worth the day spent building the lab.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.