7.2
CVSSv2

CVE-2020-8835

Published: 02/04/2020 Updated: 21/07/2021
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

fedoraproject fedora 32

canonical ubuntu linux 18.04

canonical ubuntu linux 19.10

Vendor Advisories

Arch Linux Security Advisory ASA-202003-15 ========================================== Severity: High Date : 2020-03-31 CVE-ID : CVE-2020-8835 Package : linux Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1122 Summary ======= The package linux before version 5513arch2-1 is vulnerable to privilege ...
Arch Linux Security Advisory ASA-202004-2 ========================================= Severity: High Date : 2020-04-01 CVE-ID : CVE-2020-8835 Package : linux-hardened Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1120 Summary ======= The package linux-hardened before version 5513b-1 is vulnerable t ...
Arch Linux Security Advisory ASA-202004-3 ========================================= Severity: High Date : 2020-04-01 CVE-ID : CVE-2020-8835 Package : linux-lts Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1121 Summary ======= The package linux-lts before version 5428-2 is vulnerable to privilege ...
Arch Linux Security Advisory ASA-202004-4 ========================================= Severity: High Date : 2020-04-01 CVE-ID : CVE-2020-8835 Package : linux Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1122 Summary ======= The package linux before version 5513arch2-1 is vulnerable to privilege es ...
Arch Linux Security Advisory ASA-202003-14 ========================================== Severity: High Date : 2020-03-31 CVE-ID : CVE-2020-8835 Package : linux-hardened Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1120 Summary ======= The package linux-hardened before version 5513b-1 is vulnerable ...
Arch Linux Security Advisory ASA-202003-16 ========================================== Severity: High Date : 2020-03-31 CVE-ID : CVE-2020-8835 Package : linux-lts Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1121 Summary ======= The package linux-lts before version 5428-2 is vulnerable to privileg ...
An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking 32-bit instructions in an eBPF program occurs This flaw allows an unprivileged user or process to execute eBPF programs to crash the kernel, resulting in a denial of service or poten ...

Mailing Lists

[re-sending, apologies if a prior version makes it to the list] Manfred Paul, as part of the ZDI pwn2own competition, demonstrated that a flaw existed in the bpf verifier for 32bit operations This was introduced in commit: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") The result is that register bounds were im ...
Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel ...
Qualys Security Advisory Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909) ======================================================================== Contents ======================================================================== Summary Analysis Exploitation overview Exploitation details Mitigations Acknowledgments Timeline = ...

Github Repositories

Exploit for EBPF challenge in Google CTF 2021 qualifications Compile with gcc -static -Os -s /exploitc -o exploit Based on githubcom/ret2hell/CVE-2020-8835

CVE-2020-8835 In the Linux kernel 550 and newer, the bpf verifier (kernel/bpf/verifierc) does not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory This vulnerability also affects the Linux 54 stable series, starting with v547, as the introducing commit was backported to that branch This vulnerabi

Rick_write_exp_CVE-2020-8835

CVE-2020-8835

Linux kernel CVE exploit analysis report and relative debug environment. You don't need to compile Linux kernel and configure your environment anymore.

kernel_exploit_factory Linux kernel CVE exploit analysis report and relative debug environment You don't need to compile Linux kernel and configure your environment anymore This repository is to extract all Linux kernel exploit and relative debug environment The test is on Qemu CVE-2020-8835 analysis report reference

my exp for CVE-2020-27194, tested on linux kernel 5.8.14.

CVE-2020-27194 my exp for CVE-2020-27194, tested on linux kernel 5814 reference CVE-2020-8835 pwn2own 2020 ebpf 提权漏洞分析 CVE-2020-8835 pwn2own 2020 ebpf 通过任意读写提权分析

kernel-exploit-factory Keep updating Linux kernel CVE exploit analysis report and relative debug environment You don't need to compile Linux kernel and configure your environment anymore This repository is to extract all Linux kernel exploit and relative debug environment You can use Qemu to boot the kernel and test the exploit # Eg, test CVE-2017-11176, finally

Linux kernel EoP exp

linux-kernel-exploits 简介 在github项目:githubcom/SecWiki/linux-kernel-exploits 的基础上增加了最近几年的提权漏洞Exp,漏洞相关信息的搜集在对应漏洞文件夹下的Readmemd。 红队攻击时,可以通过脚本:githubcom/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggestersh 评估系统可能受到哪些提

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2021-3156[Sudo 182 - 1831p2 Sudo 190 - 195p1] CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 23

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 2355+18101] CVE-2019-13272 [Linux kernel before 5117]

Linux Kernel Exploitation Pull requests are welcome Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniques 2020: "Structures that can be u

linux-kernel-exploitation Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "pwncollege: Module: Kernel Security" [workshop] 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniqu

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Recent Articles

Tor Project loses a third of staff in coronavirus cuts: Unlucky 13 out as nonprofit hacks back to core ops
The Register • Shaun Nichols in San Francisco • 20 Apr 2020

Also, Zoom assembles security dream team to fix its ongoing woes

This week in The Reg's security roundup of the notable bits beyond what we've already covered, the Tor Project has cut back to its core team, Zoom has called in the big security guns, US tech firms are taking on its Congress – and more.
First off, it has been a bad weekend for 13 staffers at the nonprofit Tor Project after they were let go as the team was reduced to core operations only.
"Like many other nonprofits and small businesses, the crisis has hit us hard, and we have had t...

Tor Project loses a third of staff in coronavirus cuts: Unlucky 13 out as nonprofit hacks back to core ops
The Register • Shaun Nichols in San Francisco • 20 Apr 2020

Also, Zoom assembles security dream team to fix its ongoing woes

Roundup This week in The Reg's security roundup of the notable bits beyond what we've already covered, the Tor Project has cut back to its core team, Zoom has called in the big security guns, US tech firms are taking on its Congress – and more.
First off, it has been a bad weekend for 13 staffers at the nonprofit Tor Project after they were let go as the team was reduced to core operations only.
"Like many other nonprofits and small businesses, the crisis has hit us hard, and we ha...