Search
On this page ▾
CVE-2014-3153 — Linux Kernel Privilege Escalation Vulnerability

CVE-2014-3153

Linux Kernel — 'Towelroot': futex_requeue() Privilege Escalation Enables One-Click Android Root and Linux Kernel Exploit
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is the Linux Kernel futex Subsystem?

The Linux kernel futex (fast userspace mutex) subsystem provides user-space locking primitives that allow threads to synchronize with minimal kernel involvement. When uncontested, futex operations happen entirely in user space; the kernel is only invoked when a thread must actually wait or wake another thread. The futex_requeue() operation allows waiting threads to be moved from one futex to another — used by condition variable implementations in pthreads. This complex functionality, with its kernel-enforced invariants, created the attack surface for CVE-2014-3153.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-3153, widely known as "Towelroot," is a Linux kernel privilege escalation vulnerability in the futex_requeue() function. The function fails to validate that two futex addresses are different before performing the requeue operation, allowing a local attacker to manipulate kernel data structures and elevate privileges to root. Security researcher George Hotz (geohot) discovered and exploited this to build Towelroot — a one-click Android root tool that worked on a wide range of Android devices (including the Samsung Galaxy S5) running unpatched kernels. The vulnerability affected the Linux kernel across all platforms, including Android, server Linux, and embedded devices.

Affected Versions

Linux Kernel Status
< 3.14.5 (stable) Vulnerable
< 3.15.2 (mainline) Vulnerable
Vendor backport patches Required for older stable branches
Android (most devices, pre-June 2014) Vulnerable (Android kernel updates lag upstream)

Almost all Android devices shipping before mid-2014 were vulnerable, and many devices that never received OTA updates remained vulnerable indefinitely.

Technical Details

Root Cause: Missing Validation in futex_requeue()

The futex_requeue() system call (invoked via FUTEX_REQUEUE or FUTEX_CMP_REQUEUE) moves waiting threads from one futex to another. The vulnerable code in kernel/futex.c did not verify that the source and destination futex addresses were distinct addresses before proceeding. By passing the same address for both source and destination, an attacker could create a circular waiters list in the kernel's futex hash table.

A carefully timed exploitation of this circular structure causes the kernel to write to attacker-controlled memory during a subsequent futex operation. Through careful heap shaping (using other kernel primitives to control memory layout), the attacker can:

  1. Create the circular futex waiters list
  2. Trigger a kernel write to a controlled address
  3. Overwrite a kernel function pointer or credential structure
  4. Redirect execution to shellcode or directly modify the calling process's uid/gid to 0 (root)

Towelroot

George Hotz weaponized this into a reliable, one-click root exploit for Android. The Towelroot app (tr.apk) was released at towelroot.com in June 2014 — users installed it, tapped a button, and their device was rooted. Devices confirmed vulnerable included the Samsung Galaxy S5 on multiple carriers, HTC One M8, and many others running Android 4.x kernels.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires shell or app execution on the target
Privileges Required Low (any local user or Android app without special permissions)
Impact Full kernel privilege escalation to root/SYSTEM
Reliability High — Towelroot demonstrated very reliable exploitation
Android impact One-click root; bypasses Android security model

Discovery

George Hotz (known as "geohot") — the hacker who first jailbroke the iPhone and first unlocked the PlayStation 3 — discovered CVE-2014-3153 and published the Towelroot exploit on May 21, 2014, the same day as a security conference demonstration. Hotz released Towelroot publicly at towelroot.com as a free Android root tool.

Exploitation Context

  • Android rooting: Towelroot became one of the most widely used Android root tools in 2014, compatible with Android 4.x devices across all major manufacturers; millions of devices were rooted using it
  • Malware abuse: Android malware families incorporated the Towelroot exploit for privilege escalation — a malicious app with no special permissions could exploit CVE-2014-3153 to gain root, install persistent backdoors, or disable security software
  • Server Linux: The same vulnerability existed in Linux server kernels; local attackers (e.g., a web application exploiting a web shell) could use this to escalate from the www-data user to root
  • Long tail: Android devices are notoriously slow to receive kernel patches; many devices never received an OTA update patching CVE-2014-3153, leaving them permanently exploitable
  • CISA KEV (2022): Added May 2022 — eight years after discovery — confirming continued exploitation against legacy Android and embedded Linux devices

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Update the kernel to Linux 3.14.5+ or apply vendor/distribution backport patches. For Android devices, install the OTA update from your device manufacturer.

  2. Android devices: Apply the Android security update that patches CVE-2014-3153. Samsung, HTC, LG, and other OEMs released patches in mid-to-late 2014. Devices that never received an update should be considered permanently exploitable.

  3. Decommission unpatched devices — Android devices running kernels without this fix should not be trusted in corporate environments or used to access sensitive data.

  4. Mobile Device Management (MDM): Enforce minimum OS/patch levels via MDM policy to prevent unpatched devices from accessing corporate resources.

  5. Linux servers: Identify all servers running kernel versions below 3.14.5 and apply distribution-provided security updates immediately.

Key Details

PropertyValue
CVE ID CVE-2014-3153
Vendor / Product Linux — Kernel
NVD Published2014-06-07
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-269 — Improper Privilege Management find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2014-05-21George Hotz (geohot) publicly discloses Towelroot exploit and releases towelroot.com
2014-05-22Linux kernel patch for futex_requeue() submitted
2014-06-06Fix merged into Linux kernel stable branches
2014-06-07CVE-2014-3153 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-3153 Vulnerability Database
CISA KEV Catalog Entry US Government
Towelroot — George Hotz Android Root Tool (archived) Security Research
Linux Kernel Fix Commit — CVE-2014-3153 Patch / Source Code
MITRE CVE — CVE-2014-3153 Vulnerability Database

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML