CVE-2016-2856
Description
pt_chown in glibc lacks namespace check, allowing local users to capture keystrokes, spoof data, and potentially gain privileges via pts operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
pt_chown in glibc lacks namespace check, allowing local users to capture keystrokes, spoof data, and potentially gain privileges via pts operations.
Vulnerability
The pt_chown utility in the GNU C Library (glibc) before 2.19-18+deb8u4 on Debian jessie, before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS, before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS, before 2.21-0ubuntu4.2 on Ubuntu 15.10, and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check when changing ownership of /dev/pts slave ptys. It uses ptsname() to get the slave path, which relies on a TIOCGPTN ioctl on the master file descriptor. This allows an attacker in a user namespace to create a new devpts mount with newinstance, create master/slave pairs until a number overlaps with a target pty on the host, then invoke pt_chown to gain ownership of that host pty [1][3]. The vulnerability is not considered an upstream issue because the upstream documentation advises against enabling --enable-pt_chown [2].
Exploitation
A local attacker needs the ability to create a user namespace, mount a new devpts instance with the newinstance option, and create pty pairs until the slave number collides with a target pty on the host (e.g., /dev/pts/0). The attacker then runs the setuid pt_chown binary while holding the master file descriptor of the colliding pty from within the namespace. pt_chown performs chown on the slave path, changing its ownership to the attacker's real user ID, thereby transferring control of the target pty [1][3]. No authentication or additional privileges are required beyond the ability to create user namespaces, which is available to unprivileged users on affected systems.
Impact
Upon successful exploitation, the attacker can read keystrokes typed on the compromised terminal and inject fake output, effectively intercepting all terminal I/O for that session. This can lead to disclosure of sensitive information (e.g., passwords) and potentially privilege escalation if the attacker controls a root shell or gains access to a privileged account [1][2][3]. The attack is local and requires low privileges to execute.
Mitigation
Affected Ubuntu systems are fixed in USN-2985-1 and USN-2985-2 (with a regression fix) [4]. For Debian, the fix is included in glibc version 2.19-18+deb8u4 for jessie. Upstream recommends not using the --enable-pt_chown option; disabling pt_chown (e.g., removing the setuid bit or removing the binary) is an effective workaround. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The pt_chown utility lacks a namespace check when handling file descriptors for pseudo-terminal (pts) devices."
Attack vector
An attacker can create a user namespace and mount a new instance of devpts. By creating master and slave pts pairs until the number overlaps with a target pts device outside the namespace, the attacker can then use the `pt_chown` utility to gain ownership of the target pts device. This allows the attacker to capture keystrokes, spoof data, and potentially escalate privileges [ref_id=1].
Affected code
The vulnerability lies within the `pt_chown` utility, specifically in its handling of pts devices. The code uses the `ptsname` function and `TIOCGPTN` ioctl to determine the slave pts number, then uses `chown` to change ownership. This process is flawed when user namespaces are involved, as demonstrated in `login/programs/pt_chown.c` [ref_id=1, ref_id=3].
What the fix does
The advisory does not specify a patch or provide details on the fix. However, it notes that the upstream GNU C Library considers the `--enable-pt_chown` option insecure and recommends against its use. The recommended fix involves the kernel preventing the TIOCGPTN ioctl when invoked from a process in one namespace acting on a file descriptor from a devpts instance in a different namespace. Additionally, `pt_chown` should verify that the passed file descriptor originates from the same namespace as the target device [ref_id=2].
Preconditions
- configThe system must have the `pt_chown` utility installed and configured with the `--enable-pt_chown` option, which is considered insecure by upstream [ref_id=2].
- authThe attacker must have the ability to create user namespaces.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/nvd
- anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/nvd
- people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2856.htmlnvd
- www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/nvd
- www.openwall.com/lists/oss-security/2016/02/23/3nvd
- www.openwall.com/lists/oss-security/2016/03/07/2nvd
- www.securityfocus.com/bid/84601nvd
- www.ubuntu.com/usn/USN-2985-1nvd
- www.ubuntu.com/usn/USN-2985-2nvd
News mentions
0No linked articles in our index yet.