Cyber Resilience

CVE-2013-6282

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 20 November 2013

Published
20 November 2013
Modified
22 April 2026
KEV Added
15 September 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6765 98.6th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-6282 is a high-severity Improper Input Validation (CWE-20) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an instance of improper input validation (CWE-20) in the get_user and put_user API functions of the Linux kernel prior to version 3.5.5 when running on ARM v6k and v7 platforms. These functions do not validate certain addresses, allowing access to arbitrary kernel memory locations.

Local attackers who can execute a crafted application on an affected system can leverage the flaw to read from or write to arbitrary kernel memory. The issue carried a CVSS 3.1 score of 8.8 and was observed being exploited in the wild against Android devices during October and November 2013.

Advisories and the kernel changelog reference a fix that landed in version 3.5.5, with the corresponding commit (8404663f81d212918ff85f493649a7991209fa04) restoring proper address validation for the affected API functions on the impacted ARM platforms. Code Aurora and other downstream distributions published corresponding security notices pointing to the same upstream change.

EU & UK References

Vulnerability details

The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations…

more

via a crafted application, as exploited in the wild against Android devices in October and November 2013.

CWE(s)
KEV Date Added
15 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
≤ 3.2.54 · 3.3 — 3.4.12 · 3.5 — 3.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of addresses passed to get_user/put_user, preventing the arbitrary kernel-memory read/write that the CVE exploits.

prevent

Enforces that only explicitly authorized subjects may access kernel memory locations, blocking the unauthorized reads/writes enabled by the missing address checks.

prevent

Provides hardware or software memory-protection mechanisms that can limit the impact of invalid kernel-memory accesses attempted via the flawed APIs.

References