CVE-2013-6282 : The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5

The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.

Published 2013-11-20 13:19:43

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2013-6282

Linux » Linux Kernel
Versions before (<) 3.2.54
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.3 and before (<) 3.4.12
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.5 and before (<) 3.5.5
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2013-6282

Top countries where our scanners detected CVE-2013-6282

Top open port discovered on systems with this issue 49152

IPs affected by CVE-2013-6282 158,793

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2013-6282!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2013-6282 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Linux Kernel Improper Input Validation Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.

Notes:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04; https://nvd.nist.gov/vuln/detail/CVE-2013-6282

Added on 2022-09-15 Action due date 2022-10-06

Exploit prediction scoring system (EPSS) score for CVE-2013-6282

EPSS FAQ

46.92%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2013-6282

Android get_user/put_user Exploit

Disclosure Date: 2013-09-06

First seen: 2020-04-26

exploit/android/local/put_user_vroot

This module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel mem

More information

CVSS scores for CVE-2013-6282

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2013-6282

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2013-6282

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8404663f81d212918ff85f493649a7991209fa04

Patch
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.5

Mailing List;Vendor Advisory

CVEs referencing this url
https://github.com/torvalds/linux/commit/8404663f81d212918ff85f493649a7991209fa04

ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_D… · torvalds/linux@8404663 · GitHub
Exploit;Patch
http://www.openwall.com/lists/oss-security/2013/11/14/11

oss-security - CVE-2013-6282 - linux kernel: missing access checks in get_user/put_user on ARM
Mailing List
http://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282

Page not found - Code Aurora
Patch
https://www.exploit-db.com/exploits/40975/

Google Android - get_user/put_user (Metasploit) - Android local Exploit
Exploit;Third Party Advisory;VDB Entry
http://www.ubuntu.com/usn/USN-2067-1

USN-2067-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security notices
Third Party Advisory;VDB Entry

CVEs referencing this url
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8404663f81d212918ff85f493649a7991209fa04

kernel/git/torvalds/linux.git - Linux kernel source tree
Exploit;Patch
http://www.securityfocus.com/bid/63734

Linux Kernel CVE-2013-6282 Local Privilege Escalation Vulnerabilities
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2013-6282