The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
The kernel commit that fixes CVE-2017-1000253 landed in April 2015. A Google engineer, Michael Davidson, wrote it. The CVE didn’t exist yet. There was no advisory, no headline, no scramble. The bug was simply fixed in mainline Linux, the way thousands of bugs are, and everyone moved on.
It took until September 2017 for Qualys to notice that the fix had never been backported to the long-term enterprise kernels, re-discover the bug as a working privilege escalation, and get it a CVE. And it took until September 9, 2024, for CISA to put it on the Known Exploited Vulnerabilities catalog with a three-week remediation deadline, which happened to be the same year CentOS 7, one of the distributions it lives on, reached end of life. A bug fixed upstream in 2015 is now a present-tense exploitation problem on operating systems you can no longer patch through normal channels. That sequence is the whole lesson.
What the bug is
CVE-2017-1000253 is a stack/PIE memory-corruption flaw (CWE-119) in the kernel’s load_elf_binary() function, CVSS 7.8, local vector. When the kernel maps a position-independent executable below mm->mmap_base, it doesn’t reserve enough space for the entire binary, so later PT_LOAD segments spill into the gap between the stack and the binary and corrupt memory. An unprivileged local user who can run a SUID (or otherwise privileged) PIE binary can turn that corruption into root, per Qualys’s advisory. It’s local-only, so it’s a post-foothold escalation step, not an entry point. CISA flagged it for known ransomware-campaign use.
The affected list is the part that ages badly: Red Hat Enterprise Linux 6 and 7 prior to 7.4, and CentOS 6 and CentOS 7 before the 1708 build. Public exploit code has been available for years; it’s a standard entry in local-privilege-escalation toolkits and exploit-suggester scripts. Anything in that range that didn’t take the vendor’s 2017 kernel update is exploitable today.
”Patched upstream” is not a status that helps you
The reason this bug lived for years after it was fixed is the gap between mainline Linux and the kernels that enterprises actually run. Distributions like RHEL maintain their own long-lived kernel branches and selectively backport fixes; they do not simply ship whatever mainline shipped. When Davidson’s 2015 fix went into mainline, it was not automatically pulled into the 3.10-series kernels that RHEL and CentOS 6 and 7 were built on. So for two years, the canonical answer to “is this fixed?” was both yes (in mainline) and no (on the machines in production), and only the second answer mattered to anyone with a SUID binary and bad intentions.
That gap is not a Red Hat failure specifically; it’s a structural property of how enterprise Linux works, and it cuts the other way too, since vendor backporting is also why a CVSS number tied to mainline version ranges often doesn’t map cleanly to a RHEL erratum. But the operational takeaway is blunt: “the kernel fixed that years ago” tells you nothing about your fleet. The only thing that tells you anything is your distribution’s advisory and the kernel version actually booted on the box. Track the vendor erratum (RHSA), not the upstream commit.
The end-of-life trap
Here’s where the 2024 timing turns from ironic to operational. CentOS 7 reached end of life in mid-2024. CentOS 6 has been dead since 2020. A KEV entry’s required action is normally “apply the vendor patch,” and for this bug, on a supported RHEL system, that patch has existed since 2017; you just install the current kernel and reboot. But on an end-of-life CentOS 7 or 6 host, there is no vendor patch coming, and the machine may already be past the version where the fix was even offered.
For those systems, the KEV deadline is not really a patching instruction. It’s a decommissioning instruction wearing a patching instruction’s clothes. When the product is end-of-life and the fix isn’t available through support, the honest options are migration to a supported OS, an extended-support contract that backports for you, or isolation. If you have CentOS 6 or 7 still running, this CVE is one of several reasons that’s now a liability with a clock on it, not a “we’ll get to the migration eventually” item.
What to do
- On supported RHEL/CentOS Stream and current kernels: confirm the booted kernel includes the fix via your distribution’s advisory for CVE-2017-1000253, and reboot into the patched kernel if you haven’t since. A patched kernel that’s installed but not booted is not a patched system.
- On CentOS 6 or 7, or any EOL distro: treat this as a migration trigger, not a patch ticket. There is no upstream fix coming. Prioritize getting workloads onto a supported OS, and until then, isolate these hosts and tighten who can get a local shell on them, because this bug needs exactly that.
- As an interim mitigation on affected systems you can’t immediately patch: Qualys documented that switching to the legacy mmap layout with
vm.legacy_va_layout=1blocks the exploitation path. Test it; it changes address-space layout and can affect other software, so it’s a stopgap, not a substitute for the kernel update. - Audit your SUID PIE binaries. The exploit needs a privileged PIE binary to target. Fewer unnecessary SUID binaries means less to escalate through, which is good hygiene well beyond this one CVE.
The reframe is one sentence worth keeping. The age of a fix tells you when someone solved the problem; it tells you nothing about whether the solution ever reached your machine, and on an end-of-life OS, the gap between those two is permanent. We read the KEV catalog for exactly these, the bugs that were “fixed” long ago and are still being exploited because fixed-in-mainline and fixed-on-your-server were never the same thing.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2017-1000253 — 2017-10-05
- Qualys Security Advisory: Linux PIE/stack corruption (CVE-2017-1000253) — 2017-09-26
- Red Hat: CVE-2017-1000253 — 2017
- The Hacker News: 2-Year-Old Linux Kernel Issue Resurfaces As High-Risk Flaw — 2017-09
- Linux kernel fix commit a87938b2e246 — 2015-04
Share
Related field notes
-
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
The Linux firewall bug your users can reach because you gave them a private root
CVE-2024-1086 is an nf_tables use-after-free that hands a local user root. The reason an unprivileged user can touch the kernel's packet-filtering engine at all is unprivileged user namespaces, and turning those off defuses a whole class of these bugs at once.
One email, every weekday morning.
You're in. Check your inbox.