PwnKit (CVE-2021-4034)
What is PwnKit (CVE-2021-4034)?
PwnKit (CVE-2021-4034)A local privilege-escalation vulnerability in the Polkit pkexec utility that lets any unprivileged user gain root on most Linux distributions.
PwnKit, tracked as CVE-2021-4034, is a memory-corruption flaw disclosed by Qualys in January 2022 in pkexec, a SUID-root binary shipped with Polkit and present by default on virtually every major Linux distribution since 2009. By invoking pkexec with no arguments, an attacker can craft environment variables that are reintroduced into the process after argv handling, allowing arbitrary code execution as root. The bug requires only local shell access, has reliable public exploits, and works on Ubuntu, Debian, RHEL, CentOS, Fedora and others. Mitigation is patching pkexec or removing its SUID bit until updates are applied.
● Examples
- 01
An attacker with a low-privileged SSH shell runs a PwnKit exploit and immediately gains a root shell.
- 02
A container escape uses PwnKit on the host to elevate from a compromised workload.
● Frequently asked questions
What is PwnKit (CVE-2021-4034)?
A local privilege-escalation vulnerability in the Polkit pkexec utility that lets any unprivileged user gain root on most Linux distributions. It belongs to the Vulnerabilities category of cybersecurity.
What does PwnKit (CVE-2021-4034) mean?
A local privilege-escalation vulnerability in the Polkit pkexec utility that lets any unprivileged user gain root on most Linux distributions.
How does PwnKit (CVE-2021-4034) work?
PwnKit, tracked as CVE-2021-4034, is a memory-corruption flaw disclosed by Qualys in January 2022 in pkexec, a SUID-root binary shipped with Polkit and present by default on virtually every major Linux distribution since 2009. By invoking pkexec with no arguments, an attacker can craft environment variables that are reintroduced into the process after argv handling, allowing arbitrary code execution as root. The bug requires only local shell access, has reliable public exploits, and works on Ubuntu, Debian, RHEL, CentOS, Fedora and others. Mitigation is patching pkexec or removing its SUID bit until updates are applied.
How do you defend against PwnKit (CVE-2021-4034)?
Defences for PwnKit (CVE-2021-4034) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PwnKit (CVE-2021-4034)?
Common alternative names include: CVE-2021-4034, Polkit pkexec LPE.
● Related terms
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- vulnerabilities№ 324
Dirty Pipe (CVE-2022-0847)
A Linux kernel flaw that lets an unprivileged process overwrite the contents of arbitrary read-only files, including SUID binaries, leading to root.
- vulnerabilities№ 633
Looney Tunables (CVE-2023-4911)
A buffer overflow in glibc's dynamic loader triggered by the GLIBC_TUNABLES environment variable that yields local root on many Linux distributions.