A local zero-day found in the Linux kernel can escalate privileges and may impact the mobile sector on an ongoing basis. Perception Point Research Team reported Analysis and Exploitation of a Linux Kernel Vulnerability (CVE-2016-0728) to the Red Hat Kernel security team and posted a proof of concept exploit.

The 0-day takes advantage of a reference leak in the keyring library. MITRE currently marks CVE-2016-0728 as reserved.

Here is a high level explanation of the proof of concept:

The Perception Point Research Team explains, “The [reference] leak occurs when a process tries to replace its current session keyring with the very same one.” A part of the Kernel code skips the key_put function and leaks the reference increased by find_keyring_by_name. The proof of concept takes advantage of the reference leak along with the lack of bounds checking to overflow the usage field and free the keyring object. The freed keyring object’s revoked function is used to execute functions with root privileges.

The Perception Point Research Teams ends the article with, “Thanks to David Howells, Wade Mealing and the whole Red Hat Security team for that fast response and the cooperation fixing the bug.”


This vulnerability may impact as much as tens of millions Linux PCs and Servers along with 66% of all Android devices. Unfortunately, since most carriers do not push updates to Android phones, the keychain vulnerability may linger for some time on mobile devices.

The issue can be traced back to a 2012 commit 3a50597de8635cd05133bd12c95681c82fe7b878 in kernel version 3.10. It affects Android KitKat 4.4 and higher, Red Hat Enterprise Linux 7 kernel and derivatives, and Ubuntu 14.04 LTS, just to name a few. You can find a list of vulnerable Linux distributions here.

The proof of concept escalates privileges from a local user to root, takes about 30 minutes to run with a Core-i7 and was tested on kernel 3.18 64 bit.


Identification is simple. Check your kernel version with the command uname –r . If you are running anything above kernel version 3.10, it is imperative to look for a patch and upgrade when one is available.

If the proof of concept exploit is successful, no log events will be generated.

One advantage to the proof of concept exploit is that it can take thirty minutes or more to execute, so it is possible to detect the exploit running by observing key file’s excessive usage counts with the cat /proc/keys command.


Enabling SMEP (Supervisor Mode Execution Protection) and SMAP (Supervisor Mode Access Protection) may make the exploit more difficult.

The Red Hat Security Advisory has put out a patch for the kernel vulnerability.

Ubuntu Security Notice USN-2870-2 recommends updating your 12.04 LTS system to package versions outlined below.

  • linux-image-3.13.0-76-generic
  • linux-image-3.13.0-76-generic-lpae
  • 13.0-76.120~precise1

Overall, everyone is working diligently to push out an update. GuidePoint recommends patching as soon as a patch is ready. GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.