CVE-2016-5195

Overview

CVE-2016-5195, nicknamed "Dirty COW" (Dirty Copy-On-Write), is a local privilege escalation vulnerability in the Linux kernel that resided undetected for approximately nine years — present in every Linux kernel from version 2.6.22 (released June 2007) through 4.8. A race condition in the kernel's copy-on-write memory management code allows any unprivileged local user to obtain write access to otherwise read-only memory-mapped files, including setuid root binaries, enabling reliable root privilege escalation.

Dirty COW is the first in a lineage of Linux kernel page-cache exploitation techniques. CVE-2022-0847 (Dirty Pipe, 2022) reproduced the same primitive without a race condition via the pipe subsystem; CVE-2026-31431 (Copy Fail, 2026) later demonstrated it again via the kernel's crypto API.

What Is the Linux Kernel?

The Linux kernel is the foundational software layer between hardware and user-space programs, present in every major Linux distribution, Android device, cloud instance, and container runtime. A privilege escalation flaw in the kernel allows any local attacker — a restricted shell account, a compromised web application, or code inside a container — to obtain root access on the host.

Affected Versions

The vulnerable code was introduced in Linux 2.6.22 (July 2007) and affected every kernel version for nine years.

Affected distributions (at time of disclosure): Every major Linux distribution — Ubuntu, Debian, RHEL/CentOS, SUSE, Fedora, and all Android versions shipping kernels ≥ 2.6.22. Android was specifically highlighted as particularly exposed due to the slow update cycle for device firmware.

Technical Details

Root Cause: Race Condition in Copy-on-Write Handling

Linux uses copy-on-write (COW) semantics to efficiently manage memory when multiple processes share the same pages. When a process attempts to write to a shared read-only page, the kernel is supposed to:

1. Create a private copy of the page for the writing process.
2. Update the process's page table to point to the private copy.
3. Allow the write to proceed on the private copy.

The vulnerability lies in mm/gup.c (get_user_pages). An attacker can race between two threads:

• Thread 1: Opens /proc/self/mem and writes to the memory address corresponding to a target file's mapping.
• Thread 2: Calls madvise(MADV_DONTNEED) on the same mapping, discarding the private COW copy and reverting the page table to point back to the original read-only page.

By rapidly alternating between the write and the madvise call, the attacker can cause the write to land on the original shared read-only page before the kernel can enforce the COW semantics. Because /proc/self/mem allows a process to write to its own virtual address space, and because the kernel's get_user_pages function temporarily grants write access without proper synchronization, an attacker wins the race often enough to corrupt the target file in memory.

Exploitation: Step by Step

1. Map a target file — typically a setuid root binary such as /usr/bin/sudo or /bin/su — into the process's address space using mmap(O_RDONLY).
2. Open /proc/self/mem for writing.
3. Spawn two racing threads:
   • Thread A: lseek to the target offset in /proc/self/mem and write the payload bytes.
   • Thread B: call madvise(addr, MADV_DONTNEED) on the mapped region to evict the COW page.
4. Loop thousands of times. The race is won when the kernel writes Thread A's bytes directly to the original shared page — the in-memory copy of the target binary is now modified.
5. Execute the modified setuid binary to obtain a root shell.

Attack Characteristics

The CVSS AC:High classification reflects the race condition requirement, but in practice the exploit completes quickly and reliably on modern multi-core hardware where both threads can execute simultaneously.

Discovery

Phil Oester, a Linux system administrator, discovered the vulnerability while reviewing HTTP packet captures from a production server that had been compromised. An attacker had uploaded an exploit binary that used the technique, which led Oester to identify the underlying kernel bug. He submitted the vulnerability report to the Linux kernel security team on October 13, 2016. The bug was subsequently found to be nearly nine years old — traceable to commit 4ceb5db9757a in 2007.

The name "Dirty COW" was coined to describe the mechanism: the kernel's COW (copy-on-write) mechanism is made dirty (bypassed) by the race condition.

Exploitation Context

• Age: Nine years in the kernel before discovery — one of the longest-lived privilege escalation vulnerabilities ever found
• In-the-wild use: Confirmed exploitation in the wild prior to disclosure (Oester's discovery was from an active compromise)
• Android impact: All Android versions were affected; a variant called DirtySock was developed specifically for Android
• Post-disclosure: Multiple PoC variants emerged immediately; the vulnerability was integrated into exploit frameworks within days
• Longevity: Devices that cannot receive kernel updates (older Android phones, embedded Linux devices) remain permanently vulnerable
• CISA KEV: Added March 3, 2022 — over five years after disclosure — confirming active exploitation continued through 2021–2022

Remediation

Recommended Actions

1. Update the kernel to Linux 4.8.3, 4.7.9, 4.4.26, or any later release. Verify with uname -r. All major distributions issued emergency kernel security updates within days of disclosure.

2. Android devices: Apply vendor firmware updates. Devices that have not received security updates since November 2016 should be treated as permanently compromised and replaced.

3. Harden the kernel baseline: Dirty COW is the historical archetype for page-cache write exploitation. Its successors — Dirty Pipe (CVE-2022-0847) and Copy Fail (CVE-2026-31431) — demonstrate that this class of vulnerability recurs across kernel subsystems. The KSPP kernel hardening baseline provides systematic defense-in-depth controls that raise the cost of exploitation across this entire vulnerability class.