computer security vulnerability
Dirty COW (Dirty copy-on-write) is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before … Wikipedia
Factsheet
CVE identifier CVE-2016-5195
Discoverer Vulnerability: unknown
Exploit code: Phil Oester
Affected software Linux kernel (<4.8.3)
Factsheet
CVE identifier CVE-2016-5195
Discoverer Vulnerability: unknown
Exploit code: Phil Oester
Affected software Linux kernel (<4.8.3)
🌐
Wikipedia
en.wikipedia.org › wiki › Dirty_COW
Dirty COW - Wikipedia
April 1, 2026 - Dirty COW (Dirty copy-on-write) is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race ...
🌐
University of Toronto
cs.toronto.edu › ~arnold › 427 › 18s › 427_18S › indepth › dirty-cow › index.html
Dirty Cow
A visually explained demo can be found here. Dirty COW was a vulnerability in the Linux kernel. It allowed processes to write to read-only files. This exploit made use of a race condition that lived inside the kernel functions which handle the copy-on-write (COW) feature of memory mappings.
🌐
Red Hat
redhat.com › en › blog › understanding-and-mitigating-dirty-cow-vulnerability
Understanding and mitigating the Dirty Cow Vulnerability
November 17, 2025 - In order to be successful, an attacker ... Dirty Cow works by creating a race condition in the way the Linux kernel's memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings....
Top answer
1 of 2
14

I'm not a linux kernel expert, but I am familiar with the concepts involved and I read Linus' comment and the diff. I'll give it a go - perhaps people can correct me if I get it wrong and we'll hash things out together.

Copy On Write is an internal memory concept where, primarily for performance reasons, operations that make a copy of a section of memory don't actually get their own copy unless and until they make a change to that memory - at which point, you quickly make their copy, make the change to that and hand it back to them. The advantage is that you don't have to do the work of making the copy unless and until they actually change it - faster, less memory usage, better caching.

The bug here is in the code that does that copying. It appears that there is a race condition in that copy (or actually in the bookkeeping around that copy). A race condition happens when two different processes or threads are accessing the same resource and step on each other. In this case, what happens is that the memory is flagged to be writeable before it is actually copied - if two threads are working very closely to each other, the second can take advantage of the writeable flag and actually write to the original memory, not the copy.

The exploit is that this lets a process elevate itself by getting write access to the kernel's own understanding of it. The kernel knows what user each process is running at - by taking a copy of that memory that kernel is using to store that info using Copy On Write, then using this Dirty COW bug, they can actually write the user info into the kernel's own copy. So they write that the process is being run as root.. and then they can do anything.

The demo program uses that to write to a file only writeable by root, but it could have done literally anything. The fix was to separate out a new flag saying they are doing a CopyOnWrite, instead of using the Write flag for both.

2 of 2
17

You and 3 other people are studying for a test, using the same notes.

You say "I gotta go, I need to make a copy of these notes for myself that I can mark up... let me go make a copy!"

You take the notes to the photocopier, copy them, alter the original, and then take the modified original back to the rest of the group. That modified version is bad; you've altered some answers to be wrong.

The rest of the group is left studying off of a bad version of the notes, while you take the good version home.

You pass the test.

They fail.


The only nuance between this example and Dirty COW is that in Dirty COW you aren't supposed to be handed the original; the kernel makes the copy for you. But there's a race condition that mistakenly gives you access to the original when you ask for a copy. "Race condition" means "you can sneak in access to something you shouldn't have access to."

🌐
Spectral
spectralops.io › home › what is the dirty cow exploit, and how to prevent it
What is the Dirty COW exploit, and how to prevent it - Spectral
May 18, 2024 - In the case of the Dirty COW exploit, the race is between two operations: one operation writing to COW memory mappings and another continuously disposing of them. When these operations repeat non-stop, the kernel can be confused into writing data to read-only memory mappings instead of first creating a private copy of the data.
🌐
The Register
theregister.com › 2016 › 10 › 21 › linux_privilege_escalation_hole
Dirty COW explained: Get a moooo-ve on and patch Linux root hole • The Register
November 8, 2018 - Among other things, it allows running programs to share common data in memory until one of them wants to privately alter that data. At that point the kernel copies the data to another page in memory so just that one process can affect it – ...
🌐
Reddit
reddit.com › r/netsec › cve-2016-5195: dirty cow explained
r/netsec on Reddit: CVE-2016-5195: Dirty COW explained
October 25, 2016 - In the main repo of Dirty COW there is a cowroot.c which exploits the /etc/passwd file using the setuid-based root you described. Because it is readable and owned by root.
Find elsewhere
🌐
Medium
tsitsiflora.medium.com › dirty-cow-vulnerability-an-analysis-fdf50243dc6
Dirty Cow Vulnerability: An Analysis | by Tsitsi Flora | Medium
January 13, 2023 - The Dirty COW vulnerability is a very interesting case of a race condition vulnerability. It existed in the Linux kernel since 2007 and was discovered in 2016, and because the kernel runs as root, it can be exploited as a privilege escalation ...
🌐
YouTube
youtube.com › watch
Explaining Dirty Cow - Computerphile - YouTube
Dirty Cow is a serious security flaw. Dr Steve Bagley takes us through the details.http://www.facebook.com/computerphilehttps://twitter.com/computer_phileThi...
Published   October 28, 2016
🌐
Dirtycow
dirtycow.ninja
Dirty COW (CVE-2016-5195)
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.
🌐
Rahalkar
rahalkar.dev › posts › 2019-09-15-understanding-dirty-cow-the-infamous-linux-kernel-exploit
Understanding Dirty COW - The Linux Kernel Exploit - Chaitanya Rahalkar
The exploit was registered under CVE with the designation: CVE-2016-5195. Dirty COW is a root privilege escalation exploit that attacks the Copy-On-Write mechanism in the Linux Kernel.
🌐
Cyberbit
materials.rangeforce.com › tutorial › 2019 › 11 › 07 › Dirty-Cow
Dirty Cow – Cyberbit
Copy-on-write or CoW is a technique to efficiently copy data resources in a computer system. If a unit of data is copied but not modified, the “copy” can exist as a reference to the original data. Only when the copied data is modified, a copy is created, and new bytes are actually written. In short, when a process requests a copy of some data (e.g., a file), the kernel does not create the actual copy until it’s being written into. Dirty COW (Dirty copy-on-write) is a vulnerability that affects all versions of the Linux kernel since version 2.6.22...
🌐
MakeUseOf
makeuseof.com › home › security › dirty cow vulnerability: everything you need to know to stay secure
Dirty COW Vulnerability: Everything You Need to Know to Stay Secure
January 27, 2018 - Dirty COW gets its name from the copy-on-write (COW) mechanism in the kernel's memory management system. Malicious programs can potentially set up a race condition to turn a read-only mapping of a file into a writable mapping.
🌐
Chao-tic
chao-tic.github.io › blog › 2017 › 05 › 24 › dirty-cow
Dirty COW and why lying is bad even if you are the Linux kernel
May 24, 2017 - In this case, because the original memory mapping for the region we want to modify is read-only, handle_mm_fault will honour its original permission configuration and create a new read-only (it’s a read-only mapping after all) COW page (do_wp_page) for the address we want to write to, marking it private as well as dirty, hence Dirty COW.
🌐
TechTarget
techtarget.com › searchsecurity › answer › How-can-the-Dirty-COW-vulnerability-be-used-to-attack-Android-devices
How can the Dirty COW vulnerability be used to attack Android devices? | TechTarget
March 7, 2017 - The Dirty COW vulnerability is a privilege escalation vulnerability, and it is caused by a race condition found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private, read-only memory mappings.
🌐
Medium
medium.com › magebit › dirty-cow-what-is-it-and-how-it-affects-your-linux-server-7604595ebfa4
Dirty COW — What is it and how it affects your Linux server | by Artūrs Krūze | Magebit | Medium
April 17, 2020 - Here at Magebit when we propose to fix Dirty COW vulnerability we get questions such as what is it, why it is necessary to patch it and how did my server get infected. That is why I was encouraged to make this post — to explain the above and have a deeper look into the vulnerability.
🌐
GitHub
github.com › thaddeuspearson › Understanding_DirtyCOW
GitHub - thaddeuspearson/Understanding_DirtyCOW: A resource for novice security researchers to learn about the DirtyCOW vulnerability · GitHub
Dirty Copy-On-Write (COW) is a vulnerability affecting Linux Kernel Versions 2.6.22 - 4.8.3. It was initially found be security researcher Phil Oester. It's official name is CVE-2016-5195 and it is rated a CVSS base score of 7.8, which is categorized as high.
Starred by 7 users
Forked by 2 users
Languages   C
🌐
Hackercool Magazine
hackercoolmagazine.com › home › hacking › post-exploitation › privilege escalation › linux privilege escalation › dirty cow vulnerability: beginners guide
Beginners guide to Dirty COW vulnerability
April 6, 2026 - Dirty COW is a Linux privilege escalation vulnerability which is caused due to a race condition in the way the Linux kernel handled copy-on-write functions. The name Dirty COW came from this Copy-On-Write (COW).
🌐
Reddit
reddit.com › r/explainlikeimfive › eli5: what is dirty cow in linux?
r/explainlikeimfive on Reddit: ELI5: What is Dirty CoW in linux?
October 12, 2025 - Dirty COW is a famous Linux security bug from 2016 whose name comes from “copy-on-write” (COW). Copy-on-write is a memory-saving trick. Okay so imagine several people reading the same photocopy of a document. Everyone shares that one sheet.