CVE-2013-6282

What is the Linux Kernel?

The Linux kernel is the core of Linux-based operating systems, including Android — the dominant mobile OS. The kernel enforces memory protection between user space (applications) and kernel space (OS code and data). The get_user and put_user macros are low-level primitives used throughout the kernel to safely copy data between kernel space and user space addresses, with an address validation check ensuring user-space code cannot read or write kernel memory.

Overview

CVE-2013-6282 is an improper input validation vulnerability (CWE-20) in the Linux kernel's get_user and put_user macros on ARM v6k/v7 architecture. These macros failed to validate the target address before performing the memory access, allowing a user-space application to pass a kernel-space address and directly read from or write to arbitrary kernel memory. On Android devices (which use ARM processors), this provides any installed application with the ability to escalate privileges to root by overwriting kernel data structures.

The fix was committed to the Linux kernel (commit 8404663f81d2) before the CVE was published.

Affected Versions

Technical Details

The get_user(x, ptr) and put_user(x, ptr) kernel macros are used to safely transfer data between kernel execution context and user-space memory. Because kernel code runs with full memory access rights, these macros are supposed to validate that ptr points into user-space (not kernel-space) before performing the access — preventing kernel code from being tricked into accessing kernel memory via an attacker-supplied pointer.

On ARM v6k/v7, the validation check was missing or insufficient. The macros would proceed with the memory access even if ptr was a kernel-space address, treating it as if it were a valid user-space pointer.

Exploitation: An unprivileged application can:

1. Call a kernel syscall that internally uses get_user or put_user with user-supplied addresses
2. Supply a kernel-space address as the ptr argument
3. Read from or write to that kernel address directly

Privilege escalation path: Writing to carefully chosen kernel addresses — for example, the uid or gid fields of the current process's credentials structure, or kernel function pointers — allows an unprivileged application to grant itself root privileges or execute code in kernel context.

Android significance: The vulnerability affected all Android devices using ARM v6k/v7 processors — essentially the entire Android ecosystem at the time. Combined with Android's fragmented update distribution (OEM → carrier → user), many devices never received the fix.

Discovery

Identified through kernel code review. The fix was merged into the mainline Linux kernel in November 2013 and backported to stable branches, but Android device uptake depended on OEM and carrier cooperation.

Exploitation Context

CISA confirmed exploitation in the wild. The vulnerability was incorporated into Android rooting tools and privilege escalation components in Android malware. ARM architecture kernel memory access vulnerabilities like this one were a foundation for Android privilege escalation exploits during 2012–2015.

Remediation

1. Apply kernel updates — the fix is in kernel commit 8404663f81d2; apply the update for your specific kernel version or distribution
2. For Android devices: apply OEM/carrier security updates that include kernel patches
3. Restrict installation of untrusted applications — the exploit requires a locally-running process
4. For enterprise Android management: enforce minimum security patch levels via MDM; devices below the required patch level should not be permitted to access corporate resources
5. Devices that no longer receive security updates from their manufacturer are permanently vulnerable and should be retired