CVE-2009-2692

Exp

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Published: 2009-08-14 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-2692 is rated High Exploit Risk (77.1/100): CVSS High severity, with high exploitation likelihood (EPSS 14.75%, 96th percentile). 12 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2009-2692

EDB-ID Source Kind Published Link
19933 exploit_db edb 2012-07-19 Exploit-DB ↗
9641 exploit_db edb 2009-09-11 Exploit-DB ↗
9598 exploit_db edb 2009-09-09 Exploit-DB ↗
9545 exploit_db edb 2009-08-31 Exploit-DB ↗
9479 exploit_db edb 2009-08-24 Exploit-DB ↗
9477 exploit_db edb 2009-08-18 Exploit-DB ↗
9436 exploit_db edb 2009-08-14 Exploit-DB ↗
9435 exploit_db edb 2009-08-14 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2009-2692

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 17.56% 14.75% -2.81%
2 2026-04-08 17.14% 17.56% +0.42%
3 2026-04-07 17.14%

Full EPSS history (28 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-2692

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]
7.2 2.0 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 3.9 10.0 [email protected]

Weakness enumeration for CVE-2009-2692

OS Trackers for CVE-2009-2692

vendor priority summary link
redhat high https://access.redhat.com/security/cve/CVE-2009-2692
ubuntu medium CVE-2009-2692 medium priority: Ubuntu including 2 source packages (linux, linux-source-2.6.15), 10 status rows across 5 suites (dapper, hardy, intrepid, jaunty, upstream): released 6, DNE 4. https://ubuntu.com/security/CVE-2009-2692

Vendor comments (NVD) for CVE-2009-2692

  • Red Hat (2009-09-14T00:00:00)

    Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html

Affected software / configurations for CVE-2009-2692

Vendor Product Version Raw CPE
linux linux_kernel >= 2.4.4, < 2.4.37.5 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 2.6.0, < 2.6.30.5 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
debian debian_linux 4.0 cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
suse linux_enterprise_real_time 10 cpe:2.3:o:suse:linux_enterprise_real_time:10:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 4.0 cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 5.0 cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
redhat enterprise_linux_eus 4.8 cpe:2.3:o:redhat:enterprise_linux_eus:4.8:*:*:*:*:*:*:*
redhat enterprise_linux_eus 5.3 cpe:2.3:o:redhat:enterprise_linux_eus:5.3:*:*:*:*:*:*:*
redhat enterprise_linux_server 4.0 cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
redhat enterprise_linux_server 5.0 cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 5.3 cpe:2.3:o:redhat:enterprise_linux_server_aus:5.3:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 4.0 cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 5.0 cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*

References for CVE-2009-2692

URL Tags
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html Broken Link Exploit
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html Exploit Issue Tracking
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3 Broken Link
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98 Broken Link
http://grsecurity.net/~spender/wunderbar_emporium.tgz Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html Mailing List
http://rhn.redhat.com/errata/RHSA-2009-1222.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2009-1223.html Third Party Advisory
http://secunia.com/advisories/36278 Broken Link Vendor Advisory
http://secunia.com/advisories/36289 Broken Link Vendor Advisory
http://secunia.com/advisories/36327 Broken Link Vendor Advisory
http://secunia.com/advisories/36430 Broken Link Vendor Advisory
http://secunia.com/advisories/37298 Broken Link Vendor Advisory
http://secunia.com/advisories/37471 Broken Link Vendor Advisory
http://support.avaya.com/css/P8/documents/100067254 Third Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121 Broken Link
http://www.debian.org/security/2009/dsa-1865 Mailing List Third Party Advisory
http://www.exploit-db.com/exploits/19933 Exploit Third Party Advisory VDB Entry
http://www.exploit-db.com/exploits/9477 Third Party Advisory VDB Entry
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5 Broken Link Vendor Advisory
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5 Broken Link Vendor Advisory
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6 Broken Link Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233 Broken Link
http://www.openwall.com/lists/oss-security/2009/08/14/1 Mailing List Patch
http://www.redhat.com/support/errata/RHSA-2009-1233.html Broken Link
http://www.securityfocus.com/archive/1/505751/100/0/threaded Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/505912/100/0/threaded Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/507985/100/0/threaded Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/512019/100/0/threaded Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/36038 Broken Link Exploit Third Party Advisory VDB Entry
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory
http://www.vupen.com/english/advisories/2009/2272 Broken Link Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/3316 Broken Link Vendor Advisory
http://zenthought.org/content/file/android-root-2009-08-16-source Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=516949 Issue Tracking Patch
https://issues.rpath.com/browse/RPL-3103 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657 Broken Link
cvelogic Threat Intelligence