Dirty COW (CVE-2016-5195)
What is Dirty COW (CVE-2016-5195)?
Dirty COW (CVE-2016-5195)A 2016 Linux kernel race condition in the copy-on-write handling of memory mappings that lets a local user gain root by writing to read-only files.
Dirty COW (CVE-2016-5195) is a race condition in the Linux kernel's memory subsystem that affected most kernel versions from 2007 through 2016. An attacker repeatedly races the kernel's copy-on-write logic against a madvise/MADV_DONTNEED call, eventually causing a write to a private mapping to land in the underlying read-only file. Combined with writable suid binaries or /etc/passwd, this yields reliable local privilege escalation to root. The flaw affected servers, desktops, embedded devices and Android, and was used in real attacks (including the ZNIU Android malware). Defences: upgrade to a kernel containing the fix (4.8.3, 4.7.9, 4.4.26 or later distribution patch), and on Android install the November 2016 security level.
● Examples
- 01
Local user overwriting /etc/passwd to add a root account via Dirty COW.
- 02
ZNIU Android malware using Dirty COW to root devices and install a backdoor.
● Frequently asked questions
What is Dirty COW (CVE-2016-5195)?
A 2016 Linux kernel race condition in the copy-on-write handling of memory mappings that lets a local user gain root by writing to read-only files. It belongs to the Vulnerabilities category of cybersecurity.
What does Dirty COW (CVE-2016-5195) mean?
A 2016 Linux kernel race condition in the copy-on-write handling of memory mappings that lets a local user gain root by writing to read-only files.
How do you defend against Dirty COW (CVE-2016-5195)?
Defences for Dirty COW (CVE-2016-5195) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Dirty COW (CVE-2016-5195)?
Common alternative names include: CVE-2016-5195, Linux COW race.