Skip to end of metadata
Go to start of metadata


Protect your account with MFA, sign up now at

Linux Local Privilege Escalation

Details of a critical Linux local privilege escalation vulnerability were reported on May 14, 2013.

This zero-day vulnerability appears to affect multiple flavors of Linux (RedHat/CentOS, Ubuntu, Debian, and others) and exploit code has already been publicly released and confirmed. This vulnerability requires a local shell account and allows attackers to quickly escalate their privileges to root access.


5/16/13 am

Fixes for RHEL 6 and Ubuntu 12.04 have been released, please see the links below.

Affected kernels:

Linux kernel versions 2.6.32 - 3.8.8 appear to be affected.

Red Hat Enterprise Linux 6 up to kernel-2.6.32-358.6.1.el6, x86_64 is affected

Red Hat Enterprise Linux 5 did not have the backport applied that introduced this vulnerability and does not appear to be affected.

It has been stated that though 32-bit kernels are not exploitable using the current proof of concept code, they are still vulnerable.

Please note that SELinux features *DO NOT* mitigate this vulnerability.

Distribution details and patches:

Red Hat:


A temporary patched kernel from Centos: 


Temporary mitigation:

The command:  sysctl kernel.perf_event_paranoid=2

can be used for temporary mitigation of the currently published exploit, but see below:

> Can you confirm that : > sysctl kernel.perf_event_paranoid=2 > > is a good enough solution for our users in short term ?

Our testing shows that this is not sufficient to avoid the issue in general, but it is currently sufficient mitigation against the publicly available (unmodified) exploits. Best regards, -- Petr Matousek / Red Hat Security Response Team

Further information:

CVE-2013-2094 has been assigned for this vulnerability:

Please see the following thread for detailed information:

What you should do:

  • Verify if your particular workstation or server OS versions are vulnerable to this attack

  • Monitor the NIST page and vendor sites for forthcoming patches

  • If possible, take the opportunity to audit your users and delete any temporary, unused or defunct accounts.

  • Make sure that your systems are sending their logs to our central syslog server (

  • Contact if you notice any unusual behavior on your systems