Cyber Resilience

CVE-2016-5195

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 November 2016

Published
10 November 2016
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8352 99.6th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2016-5195 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a race condition in mm/gup.c within the Linux kernel versions 2.x through 4.x prior to 4.8.3. It stems from incorrect handling of the copy-on-write (COW) mechanism, enabling writes to read-only memory mappings. This flaw is tracked as CVE-2016-5195, carries a CVSS 3.1 score of 7.0, and is associated with CWE-362.

Local users with low privileges can exploit the race condition to escalate privileges on affected systems. The issue was actively exploited in the wild as of October 2016 under the name Dirty COW, allowing attackers to modify memory regions that should remain read-only and thereby obtain elevated access.

Advisories and patches reference a kernel commit addressing the flaw along with vendor notifications from FortiGuard and Juniper that point to updated kernel releases for mitigation. The vulnerability saw real-world exploitation shortly after disclosure, highlighting its impact on unpatched Linux systems running affected kernel versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild…

more

in October 2016, aka "Dirty COW."

CWE(s)
KEV Date Added
03 March 2022

Related Threats

CVEs Like This One

CVE-2025-0111Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0108Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2024-3400Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2026-0257Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2026-0300Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-59718Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV
CVE-2023-4966Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

canonical
ubuntu linux
12.04, 14.04, 16.04, 16.10
linux
linux kernel
2.6.22 — 3.2.83 · 3.3 — 3.4.113 · 3.5 — 3.10.104
redhat
enterprise linux
5, 6.0, 7.0
redhat
enterprise linux aus
6.2, 6.4, 6.5
redhat
enterprise linux eus
6.6, 6.7, 7.1
redhat
enterprise linux long life
5.6, 5.9
redhat
enterprise linux tus
6.5
debian
debian linux
7.0, 8.0
fedoraproject
fedora
23, 24, 25
paloaltonetworks
pan-os
5.1 — 7.0.14 · 7.1.0 — 7.1.8
+8 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protection safeguards that block unauthorized writes to read-only mappings, exactly the COW race condition exploited by CVE-2016-5195.

prevent

Requires timely application of the kernel patch (commit fixing mm/gup.c) that eliminates the Dirty COW race condition before local exploitation can succeed.

prevent

Limits privileges of local accounts so that even successful memory-mapping bypass yields minimal additional access on unpatched kernels.

References