Threats / Linux / CVE-2013-2094
CVE-2013-2094
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Linux Kernel vulnerability
Linux kernel perf subsystem fails to validate all 64 bits of user-supplied attr.config, enabling out-of-bounds array access and privilege escalation.
Verdict
Today item — known-exploited.
A local attacker can exploit improper input validation in the perf_swevent subsystem to trigger out-of-bounds memory access, escalating privileges from unprivileged user to kernel level.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Public proof-of-concept exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
3 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-09-15).
Probability (EPSS)
EPSS 0.47709 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Linux, Kernel. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-189 CWE-189.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-189 · CWE-189
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
Craft a malicious perf_event_open syscall with specially crafted attr.config value that bypasses 64-bit validation checks.
Business
Attacker gains ability to read or write kernel memory outside intended bounds.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
Trigger out-of-bounds access in the perf_swevent_enabled array during sw_perf_event_destroy() callback.
Business
Kernel memory corruption occurs, potentially corrupting security-critical data structures.
3
Lateral reach — past segmentation narrative 3
Attacker
Leverage memory corruption to overwrite kernel code or privilege escalation gadgets.
Business
Attacker achieves arbitrary code execution with kernel privileges.
4
Data at risk — exfiltration narrative 4
Attacker
Execute arbitrary kernel-level operations with full system access.
Business
Complete system compromise; attacker can disable security controls, install rootkits, or exfiltrate sensitive data.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05