CVE-2013-6282

CVE Database · CVE-2013-6282

CVE-2013-6282

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

39.71%

Published

Nov 20, 2013

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2022-09-15 · Due: 2022-10-06

Apply updates per vendor instructions.

Public PoC / Exploit (7)

All weaponized →

Exploit-DBGoogle Android - get_user/put_user (Metasploit)Exploit-DBLinux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation TrickestTrickest PoC index GitHub PoCfi01/libput_user_exploit★27 GitHub PoCtimwr/CVE-2013-6282★20 GitHub PoCjeboo/bypasslkm★13 GitHub PoCfi01/libget_user_exploit★8

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-20CWE-20

Affected Products (3)

linux · linux_kernel (up to 3.2.54)vulnerable

linux · linux_kernel (up to 3.4.12)vulnerable

linux · linux_kernel (up to 3.5.5)vulnerable

References (17)

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8404663f81d212918ff85f493649a7991209fa04

Patch

http://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282