The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
CVE-2012-0217
Score elevated to 9.0 because EPSS predicts 88% probability of exploitation within the next 30 days (top 0.5% of all CVEs). Confidence: see factors.
- No confirmed exploitation signals yet
A fix is available — apply it.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 98.3%
- KEV
- Not listed
Published
June 12, 2012
Last Modified
April 29, 2026
References (46)
- security@debianhttp://blog.illumos.org/2012/06/14/illumos-vulnerability-patched/
- security@debianhttp://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
- security@debianhttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc
- security@debianhttp://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
- security@debianhttp://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html
- security@debianhttp://secunia.com/advisories/55082
- security@debianhttp://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
- security@debianhttp://security.gentoo.org/glsa/glsa-201309-24.xml
- security@debianhttp://smartos.org/2012/06/15/smartos-news-3/
- security@debianhttp://support.citrix.com/article/CTX133161
- security@debianhttp://wiki.smartos.org/display/DOC/SmartOS+Change+Log#SmartOSChangeLog-June14%2C2012
- security@debianhttp://www.debian.org/security/2012/dsa-2501
- security@debianhttp://www.debian.org/security/2012/dsa-2508
- security@debianhttp://www.kb.cert.org/vuls/id/649219
- security@debianhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:150
Vendor Advisories for CVE-2012-0217(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(2)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | kernel-0:2.6.18-308.8.2.el5 | 2012-06-12 | redhat |
| redhat | kernel-0:2.6.18-238.39.1.el5 | 2012-06-12 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(1)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 5× in last 7d / 33× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 16:23 UTCEPSS rescore
- 2026-07-05 14:59 UTCOSV refresh
- 2026-07-05 02:26 UTCEPSS rescore
- 2026-07-02 14:01 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-28 14:03 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-27 03:05 UTCEPSS rescore
- 2026-06-27 03:05 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-21 01:56 UTCEPSS rescore
- 2026-06-21 01:56 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-17 02:05 UTCOSV refresh
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-15 17:44 UTCEPSS rescore
Show 39 moreShow fewer
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-10 22:14 UTCEPSS rescore
- 2026-06-10 13:18 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-29 13:41 UTCEPSS rescore
- 2026-05-29 04:22 UTCEG score recompute
- 2026-05-29 04:22 UTCVendor advisory
- 2026-05-29 04:22 UTCGHSA enrichment
- 2026-05-28 00:03 UTCOSV refresh
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-21 22:39 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(4 references)Working exploit code is in the public domain (1 Metasploit module) (3 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-46508✓ verifiedFirst seen Mar 7, 2019
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)
Open source ↗ - Exploit-DBEDB-28718✓ verifiedFirst seen Oct 4, 2013
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation
Open source ↗ - Exploit-DBEDB-20861✓ verifiedFirst seen Aug 27, 2012
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042)
Open source ↗ - Metasploitexploit/freebsd/local/intel_sysret_priv_esc✓ verifiedFirst seen Jun 12, 2012
FreeBSD Intel SYSRET Privilege Escalation
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-119
Frequently asked(4)
What is CVE-2012-0217?
When was CVE-2012-0217 disclosed?
Is CVE-2012-0217 actively exploited?
How do I remediate CVE-2012-0217?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2012-0217
Is Your Infrastructure Affected by CVE-2012-0217?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.