LK-DIRTY-PAGETABLEPrivilege Escalation

Dirty Pagetable

Generic exploit technique: corrupt a PMD entry to alias attacker memory onto a kernel object — works for many bug classes (DirtyPipe-style).

§ Where this technique fits

LK-DIRTY-PAGETABLE is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
step 3 / 6
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
step 5 / 7

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×
02
modprobe_path Overwrite
LK-MODPROBE-PATH · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

io_uring UAF → modprobe_path overwrite → root

nf_tables UAF → kernel R/W → root

§ What commonly comes next