Local privilege escalation vulnerability in the glibc library affects versions 2.35 to 2.38 (build tested: 2.35-0ubuntu3.3) and allows an unprivileged user to cause corruption of the internal state of the loader. By sending in an excessively long GLIBC_TUNABLES string with specific formatting, it is possible to:
1. Change the value of the effective DT_RPATH / DT_RUNPATH
2. Force the loader to load a shared object that is controlled by the attacker instead of the legitimate shared object.
3. Trigger arbitrary code execution in the context of a setuid binary (e.g., /usr/bin/su).
The PoC is a classic, well-structured implementation of this technique. It:
1. It creates an in place patch for the libc.so.6 by overwriting the __libc_start_main symbol with a short x86_64 shellcode that
a) Calls setuid(0) and setgid(0)
b) Runs /bin/sh
2. It creates a copy of the patched libc in a directory labeled: " (example abuse of path parsing)
3. It creates a malicious environment with a carefully aligned GLIBC_TUNABLES entries to trigger the overflow and therefore determine the loader's behavior
4. It continuously forks and runs execve("/usr/bin/su", ["su", "--help"], malicious_env), until such time that the timing heuristic has determined that the process is executing in a successful manner (the time for the hung su process will be longer). When successful it creates a root shell.
Primary Technical Considerations
1. Vulnerabilities discovered in late 2023 remain exploitable globally until patched or partially patched systems reach the end of their lifecycle (end of support) by 2026, some Ubuntu 22.04 LTS machines remain unpathed for many people (after 3 months following Oct 2023)
2. The Red Hat / Qualys advisory made many systems quickly apply patches to address these vulnerabilities; however, many lower-tier systems (distros - especially long-term support) took longer to fully deploy patches or completely patch their mitigations.
3. glibc 2.39 (released in February 2024) has fully addressed all parsing of the faulted logics.
4. All Ubuntu 22.04 LTS patched systems have the required security fixes to secure the system (libc6 2.35-0ubuntu3.8 (USN-6502-1) released in November 2023); however, because of the lower rate of deployment of higher priority patches, many Ubuntu 22.04 LTS systems remained potentially vulnerable to exploitation into 2025.
Risks in real life
1. You will need access on the computer, i.e unprivileged shell or compromised user account.
2. The /usr/bin/su must be setuid root (all common configurations have this option).
3. Not connected to networks, local only, so you will not see this remotely.
4. Lab conditions are highly reliable, however, when you go to use on a target, it can be highly unlikely due to the use of race conditions, from ASLR or other means, hence retry loop.
Mitigation (February 2026)
1. Patch if you have glibc 2.38 or lower:
a. Ubuntu/Debian - apt update && apt upgrade libc6
b. RHEL/CentOS/Fedora: yum/dnf update glibc
2. AppArmor and SELinux can mitigate (by blocking environment variable tampering on setuid binaries).
3. Secure your environment and remove unused setuid binaries, restrict access to /usr/bin/su.
4. Audit for unusual GLIBC_TUNABLES in your process environment by using either auditd or Falco rules.
5. Move to a modern distribution Ubuntu 24.04 LTS - Fedora 41+ has glibc 2.39 or later.
Source: Exploit DB
February 11, 2026
February 11, 2026
February 11, 2026
September 20, 2024
December 31, 2025
November 24, 2025
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
