CVE-2004-2536
Description
Linux kernel 2.6-2.6.5 exit_thread() fails to clear per-TSS IO bitmap pointers, allowing privilege escalation via shared TSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel 2.6-2.6.5 exit_thread() fails to clear per-TSS IO bitmap pointers, allowing privilege escalation via shared TSS.
Vulnerability
The Linux kernel versions 2.6 through 2.6.5 contain a vulnerability in the exit_thread function in process.c. When a process obtains IO access permissions via the ioperm system call but does not drop those permissions before exiting, the kernel fails to invalidate the per-TSS (Task State Segment) io_bitmap pointers. This leaves the pointers dangling, allowing other processes to access them.
Exploitation
An attacker with local access to the system can exploit this by creating a process that acquires IO permissions using ioperm and then exits without revoking them. Subsequently, another process (or the same process after reincarnation) can access the stale TSS pointers, potentially reading or writing restricted memory locations. No special privileges are required beyond the ability to execute code.
Impact
Successful exploitation allows an attacker to access restricted memory locations, which can lead to information disclosure or privilege escalation. The attacker may gain elevated privileges, potentially compromising the entire system.
Mitigation
The vulnerability was fixed in Linux kernel version 2.6.6. Users should upgrade to a kernel version 2.6.6 or later. No workarounds are documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.1:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.1:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.5:*:*:*:*:*:*:*
- (no CPE)range: 2.6 through 2.6.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.htmlnvdExploitPatch
- secunia.com/advisories/11577nvdVendor Advisory
- www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6nvd
- www.osvdb.org/5997nvd
- www.securityfocus.com/bid/10302nvd
- www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/16106nvd
News mentions
0No linked articles in our index yet.