Cyber Resilience

CVE-2014-3153

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 June 2014

Published
07 June 2014
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7533 98.9th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-3153 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2014-3153 resides in the futex_requeue function within kernel/futex.c of the Linux kernel through version 3.14.5. The flaw arises because the function does not verify that FUTEX_REQUEUE operations specify two different futex addresses, permitting unsafe modification of waiter structures.

Local users can exploit the issue by supplying a crafted FUTEX_REQUEUE command, resulting in privilege escalation with full impact on confidentiality, integrity, and availability as reflected in the CVSS 7.8 score.

References including the upstream commit e9c243a5a6de0be8e584c604d353412584b592f8 and Oracle errata such as ELSA-2014-0771, ELSA-2014-3037, ELSA-2014-3038, and ELSA-2014-3039 indicate that mitigation is achieved through kernel updates that enforce proper address validation during futex requeue handling.

EU & UK References

Vulnerability details

The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
≤ 3.2.60 · 3.3 — 3.4.92 · 3.5 — 3.10.42
redhat
enterprise linux server aus
6.2
opensuse
opensuse
11.4
suse
linux enterprise desktop
11
suse
linux enterprise high availability extension
11
suse
linux enterprise real time extension
11
suse
linux enterprise server
11
canonical
ubuntu linux
12.04, 14.04
oracle
linux
5, 6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the kernel patch (e.g., commit e9c243a5) that adds the missing address validation in futex_requeue.

prevent

Requires validation of all inputs to futex_requeue, specifically enforcing two distinct futex addresses to block the crafted REQUEUE command.

prevent

Enforces kernel-level access decisions so that unsafe waiter modifications cannot result in unauthorized privilege escalation.

References