CVE-2013-2596

Linux Kernel Integer Overflow Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

< 1%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.

Una determinada version de Android v4.1.2 en dispositivos Motorola Razr HD, Razr M, y Atrix HD con el chipset Qualcomm MSM8960 permite a atacantes físicamente próximos obtener acceso de root entrando en el modo de depuración USB, usando Android Debug Bridge (ADB) para establecer una conexión USB, y cargar y ejecutar el programa pwn Motochopper.

An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

The kernel packages contain the Linux kernel, the core of any Linux operating system. An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file could possibly use this flaw to escalate their privileges on the system. It was found that the Xen hypervisor x86 CPU emulator implementation did not correctly handle certain instructions with segment overrides, potentially resulting in a memory corruption. A malicious guest user could use this flaw to read arbitrary data relating to other guests, cause a denial of service on the host, or potentially escalate their privileges on the host.

Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2013-03-15 CVE Reserved
2013-04-13 CVE Published
2022-09-15 Exploited in Wild
2022-10-06 KEV Due Date
2024-08-12 First Exploit
2025-02-07 CVE Updated
2025-03-30 EPSS Updated

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (19)

URL	Tag	Source
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b4cbb197c7e7...	Broken Link
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fc9bbca8f650...	Broken Link
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761	Third Party Advisory
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9	Mailing List
http://www.securityfocus.com/bid/59264	Broken Link

1 - 5 of 5

URL	Date	SRC
https://github.com/hiikezoe/libfb_mem_exploit	2024-08-12
http://forum.xda-developers.com/showthread.php?t=2255491	2025-02-07
http://www.droid-life.com/2013/04/09/root-method-released-for-droid-razr-hd-running-androi...	2025-02-07
http://www.droidrzr.com/index.php/topic/15208-root-motochopper-yet-another-android-root-ex...	2025-02-07
https://github.com/torvalds/linux/commit/fc9bbca8f650e5f738af8806317c0a041a48ae4a	2025-02-07

1 - 5 of 5

URL	Date	SRC
http://marc.info/?l=linux-kernel&m=136616837923938&w=2	2024-06-28
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan20...	2024-06-28
https://github.com/torvalds/linux/commit/b4cbb197c7e7a68dbad0d491242...	2024-06-28

1 - 3 of 3

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2015-0695.html	2024-06-28
http://rhn.redhat.com/errata/RHSA-2015-0782.html	2024-06-28
http://rhn.redhat.com/errata/RHSA-2015-0803.html	2024-06-28
http://www.mandriva.com/security/advisories?name=MDVSA-201...	2024-06-28
https://access.redhat.com/security/cve/CVE-2013-2596	2016-03-15
https://bugzilla.redhat.com/show_bug.cgi?id=1034490	2016-03-15

1 - 6 of 6

Affected Vendors, Products, and Versions (20)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 2.6.12 < 3.0.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 3.0.75"	-	Affected	in	Motorola Search vendor "Motorola"	Atrix Hd Search vendor "Motorola" for product "Atrix Hd"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 2.6.12 < 3.0.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 3.0.75"	-	Affected	in	Motorola Search vendor "Motorola"	Razr Hd Search vendor "Motorola" for product "Razr Hd"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 2.6.12 < 3.0.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 3.0.75"	-	Affected	in	Motorola Search vendor "Motorola"	Razr M Search vendor "Motorola" for product "Razr M"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 2.6.12 < 3.0.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 3.0.75"	-	Affected	in	Qualcomm Search vendor "Qualcomm"	Msm8960 Search vendor "Qualcomm" for product "Msm8960"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.1 < 3.2.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 3.2.45"	-	Affected	in	Motorola Search vendor "Motorola"	Atrix Hd Search vendor "Motorola" for product "Atrix Hd"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.1 < 3.2.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 3.2.45"	-	Affected	in	Motorola Search vendor "Motorola"	Razr Hd Search vendor "Motorola" for product "Razr Hd"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.1 < 3.2.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 3.2.45"	-	Affected	in	Motorola Search vendor "Motorola"	Razr M Search vendor "Motorola" for product "Razr M"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.1 < 3.2.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 3.2.45"	-	Affected	in	Qualcomm Search vendor "Qualcomm"	Msm8960 Search vendor "Qualcomm" for product "Msm8960"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.3 < 3.4.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.4.42"	-	Affected	in	Motorola Search vendor "Motorola"	Atrix Hd Search vendor "Motorola" for product "Atrix Hd"	-	-	Safe
Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	>= 3.3 < 3.4.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.4.42"	-	Affected	in	Motorola Search vendor "Motorola"	Razr Hd Search vendor "Motorola" for product "Razr Hd"	-	-	Safe

1 - 10 of 20