Dirty COW (CVE-2016-5195): The Linux Kernel Race Condition That Refuses to Die
What Is Happening
CVE-2016-5195, widely known as "Dirty COW," is a race condition vulnerability in the Linux kernel's memory subsystem that allows local privilege escalation to root. The flaw exists in the kernel's copy-on-write (COW) mechanism when handling memory mappings, and it has been present in the Linux kernel since version 2.6.22, released in 2007. The vulnerability allows an unprivileged local user to gain write access to read-only memory mappings, enabling them to modify protected files—including SUID binaries and system configuration files—to escalate privileges.
Active exploitation of Dirty COW has been documented in the wild since at least October 2016, with threat actors using it in post-compromise scenarios to escalate from low-privilege shells to full root access. The vulnerability is particularly favored in attacks against web servers, containerized environments, and shared hosting platforms where attackers already have limited shell access through web application vulnerabilities or compromised credentials. Multiple public exploits exist and are considered highly reliable across affected distributions.
CISA added CVE-2016-5195 to the Known Exploited Vulnerabilities (KEV) catalog on March 3, 2022, confirming ongoing exploitation nearly six years after initial disclosure. Despite patches being available since late 2016, vulnerable systems persist in production environments, particularly legacy systems, embedded devices, and Android devices no longer receiving security updates. The reliability of public exploits and the widespread availability of proof-of-concept code make this a persistent tool in attacker arsenals.
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| Linux Kernel | 2.6.22 through 4.8.2 | Vulnerable |
| Red Hat Enterprise Linux | 5, 6, 7 (prior to patched versions) | Patches available |
| CentOS | 5, 6, 7 (prior to patched versions) | Patches available |
| Ubuntu | 12.04 LTS, 14.04 LTS, 16.04 LTS, 16.10 (prior to patched versions) | Patches available |
| Debian | Wheezy, Jessie, Stretch (prior to patched versions) | Patches available |
| SUSE Linux Enterprise | 11, 12 (prior to patched versions) | Patches available |
| Android | Versions through October 2016 security patch level | Varies by device |
Patched Versions:
- Linux Kernel: 4.8.3, 4.7.9, 4.4.26 LTS, and backported fixes to distribution kernels
- Red Hat: kernel-2.6.32-642.6.2.el6 (RHEL 6), kernel-3.10.0-327.36.3.el7 (RHEL 7) — See RHSA-2016:2098
- Ubuntu: See USN-3107-1 for 16.04 LTS, USN-3106-1 for 14.04 LTS
- Debian: See DSA-3696-1
End-of-Life Warning: RHEL 5, Ubuntu 12.04 LTS, and Debian Wheezy have reached end-of-life and no longer receive security updates. Systems running these distributions must migrate to supported versions.
What Being on an Affected Version Means
An attacker with any local access—whether through a compromised web application, SSH brute force, or container escape—can exploit Dirty COW to gain full root privileges within seconds. The exploit works by racing the kernel's COW mechanism to write arbitrary content to files the attacker can read but should not be able to modify. Attackers typically overwrite /etc/passwd to add a root-level user, modify SUID binaries to spawn root shells, or inject code into running processes.
The attack path typically begins with initial access through a web shell, compromised low-privilege account, or vulnerability in an internet-facing service. From root access, attackers can install persistent backdoors, access sensitive data including database credentials and private keys, pivot to other systems using harvested credentials, disable security tooling, and deploy ransomware or cryptominers. In containerized environments, this vulnerability can be chained with container escape techniques to compromise the underlying host. Any data accessible to the root user—which includes effectively all data on the system—is at risk.
Mitigation Steps
- Patch immediately by upgrading to a kernel version that includes the fix:
- For mainline kernel: upgrade to 4.8.3 or later, or 4.4.26 LTS or later
- For RHEL/CentOS 6:
yum update kernelto kernel-2.6.32-642.6.2.el6 or later - For RHEL/CentOS 7:
yum update kernelto kernel-3.10.0-327.36.3.el7 or later - For Ubuntu 16.04 LTS:
apt-get update && apt-get upgrade linux-image-genericto 4.4.0-45.66 or later - Reboot is required after kernel update
- If immediate patching is not possible, apply the SystemTap or ktap-based mitigation script provided by Red Hat to block the race condition at runtime. This script is available in Red Hat Knowledgebase Article 2757641.
- Restrict local access by auditing all accounts with shell access, removing unnecessary user accounts, enforcing key-based SSH authentication, and disabling password authentication where possible.
- Deploy application-level sandboxing using SELinux in enforcing mode or AppArmor profiles to limit the impact of privilege escalation, particularly for internet-facing services.
- Monitor for exploitation attempts by implementing the following detection measures:
- Audit file modifications to
/etc/passwd,/etc/shadow, and SUID binaries usingauditdrules:auditctl -w /etc/passwd -p wa -k dirtycow - Monitor for processes writing to
/proc/self/memor usingptracein unusual patterns - Alert on new SUID binaries or unexpected permission changes
- Check for kernel log messages containing "bad pmd" or "page fault" errors in rapid succession
- For Android devices, verify the security patch level is October 2016 or later under Settings → About Phone → Android Security Patch Level. Devices no longer receiving updates should be replaced or isolated from sensitive data.
Given CISA KEV status, active exploitation, and the availability of reliable public exploits, any system running an unpatched kernel should be treated as compromised until verified clean and patched.