Search
On this page ▾
CVE-2014-0196 — Linux Kernel Race Condition Vulnerability

CVE-2014-0196

Linux Kernel TTY Subsystem — n_tty_write() Race Condition Allows Local Privilege Escalation or Denial of Service
⚠️ CVSS 3.1  5.5 / 10 — MEDIUM 🔴 CISA Known Exploited Vulnerability

What Is the Linux Kernel TTY Subsystem?

The Linux kernel's TTY (teletypewriter) subsystem manages terminal devices — both physical serial terminals and pseudoterminals (ptys) used by SSH sessions, terminal emulators, and shell processes. The n_tty line discipline is the default processing layer for TTY devices, handling input/output buffering, line editing (backspace, tab expansion), echo, and flow control. Because virtually every interactive Linux session flows through the TTY subsystem, vulnerabilities here can affect local privilege escalation paths for any authenticated user.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 12, 2023. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-0196 is a race condition vulnerability in the n_tty_write() function in the Linux kernel's TTY line discipline. When a TTY device is in LECHO (local echo) mode with OPOST (output post-processing) disabled, concurrent read and write operations on the same TTY can race, causing a kernel memory corruption or null pointer dereference. The primary impact is a kernel panic (denial of service), but in some kernel configurations and architectures the race may be exploitable for local privilege escalation.

Affected Versions

Linux Kernel Status
3.14.x before 3.14.2 Vulnerable
3.13.x and earlier Potentially affected (check distribution backports)
3.14.2 and later Fixed (upstream)

All major Linux distributions shipped backport patches in their stable kernel packages. Any system running kernel 3.14.0 or 3.14.1 without vendor patches was vulnerable.

Technical Details

Root Cause: Unsynchronized Concurrent TTY Read/Write

The race condition exists in drivers/tty/n_tty.c in the n_tty_write() function. When output post-processing (OPOST) is disabled but local echo (LECHO) is enabled, the write path processes characters and echoes them via a code path that is not properly synchronized with concurrent reads on the same TTY.

Under concurrent read and write pressure on the same TTY device, two threads can simultaneously access the TTY's internal buffers without adequate locking:

  1. Thread A calls n_tty_write() and is in the middle of echoing output
  2. Thread B reads from the same TTY, advancing the read position
  3. The resulting unsynchronized state can produce a null pointer dereference or out-of-bounds memory access

The primary consequence is a kernel oops/panic (denial of service). On certain kernel versions and hardware configurations, the memory corruption may be leveraged for privilege escalation, as the corrupted data can influence kernel control flow.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires a shell on the target system
Privileges Required Low (any authenticated user)
Primary Impact Kernel panic (denial of service)
Secondary Impact Potential local privilege escalation in some configurations
CWE CWE-362: Race Condition

Discovery

Reported by Peter Hurley to the Linux kernel security team in late April 2014. The fix was merged into the mainline kernel in Linux 3.14.2.

Exploitation Context

  • Requires local access (shell login or code execution on the target system)
  • Primarily exploited as a denial-of-service (kernel crash) to disrupt systems or as a step in a local privilege escalation chain
  • CISA added to KEV in May 2023 — exploitation confirmed against legacy Linux systems (older enterprise deployments, embedded Linux, IoT devices running end-of-life kernels)
  • End-of-life kernel versions on unpatched systems (particularly in embedded systems and older server deployments) remain vulnerable

Remediation

CISA BOD 22-01 Deadline: June 2, 2023. CISA notes the impacted product is end-of-life. Systems still running Linux kernels in the affected range should be updated or decommissioned.

  1. Update the kernel to 3.14.2 or later, or apply the distribution-provided backport patch. For major distros: apt update && apt upgrade linux-image-* (Debian/Ubuntu) or equivalent.

  2. Check current kernel version: uname -r. Kernels below 3.14.2 without vendor patches are vulnerable.

  3. Decommission legacy systems running end-of-life kernel versions that cannot be patched. These are persistent attack targets for local privilege escalation.

  4. Minimize local access on systems that cannot be patched — restrict shell access to trusted users only and audit SSH authorized keys.

Key Details

PropertyValue
CVE ID CVE-2014-0196
Vendor / Product Linux — Kernel
NVD Published2014-05-07
NVD Last Modified2025-10-22
CVSS 3.1 Score5.5
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SeverityMEDIUM
CWE CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') find similar ↗
CISA KEV Added2023-05-12
CISA KEV Deadline2023-06-02
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-06-02. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2014-04-29Vulnerability reported to kernel security team by Peter Hurley
2014-05-02Fix merged into Linux kernel 3.14.2
2014-05-07CVE-2014-0196 published by NVD
2023-05-12Added to CISA Known Exploited Vulnerabilities catalog
2023-06-02CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-0196 Vulnerability Database
CISA KEV Catalog Entry US Government
Linux Kernel Mailing List — n_tty_write race condition fix Patch / Source Code
Kernel Git — CVE-2014-0196 Fix Commit Patch / Source Code

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML