One‑Stop Linux Privilege Escalation Toolkit Covering 24 Vulnerabilities Across 7 Architectures
lpe-toolkit is a multi‑architecture Linux privilege‑escalation toolkit that bundles 24 exploits across seven CPU architectures, automatically detects kernel versions to filter patched bugs, offers pre‑compiled binaries for amd64, multiple execution modes, and practical use cases for red‑team testing, incident response, and security research.
Tool Overview
lpe-toolkit (Linux Privilege Escalation Toolkit) is a multi‑architecture Linux privilege‑escalation utility maintained by security researcher portbuster1337. It bundles 24 pre‑packaged exploits (including CVEs and near‑0‑day bugs) and supports seven CPU architectures: amd64, arm64, 386, mips, mipsle, mips64, mips64le. The tool automatically reads the target kernel version and skips exploits that are already patched.
Supported Vulnerabilities
Copy Fail (CVE‑2026‑31431) – AF_ALG + splice page‑cache write
Dirty Pipe (CVE‑2022‑0847) – /etc/passwd page‑cache overwrite
PwnKit (CVE‑2021‑4034) – pkexec environment escape
Docker Socket – writable /var/run/docker.sock configuration error
GTFOBins – more than 80 password‑less sudo techniques
Core Feature Analysis
Automatic kernel version detection and exploit filtering
On launch the tool reads the target kernel version and automatically excludes exploits that are fixed in that version, reducing noisy alerts and avoiding unnecessary instability.
Pre‑compiled binaries for amd64
All amd64 exploits are embedded as pre‑compiled C binaries within the Go program, allowing immediate execution on systems without a development toolchain. For other architectures the exploit source is compiled at runtime using the target’s gcc.
Multiple execution modes
Dry‑run mode : lists applicable exploits without executing them. ./lpe-toolkit --dry-run Silent mode : runs silently and prints only the final result. ./lpe-toolkit -q -c "whoami" Command execution : runs a specified command after gaining root. ./lpe-toolkit -c "id" Skip specific exploits : omits known‑patched vulnerabilities.
./lpe-toolkit --skip "dirtypipe,pwnkit"Typical Use Cases
Penetration testing / authorized red‑team engagements
After obtaining a low‑privilege shell, a single invocation attempts all applicable escalation paths; the GTFOBins module covers over 80 sudo misconfigurations.
Incident response and host investigation
In a breach scenario, the --dry-run mode enumerates possible escalation routes on a compromised host, helping analysts infer the attacker’s technique.
Security research and vulnerability learning
The source is organized with each exploit in its own C file, providing a practical learning resource for techniques such as page‑cache overwrite, namespace escape, and D‑Bus races.
2026 New Vulnerabilities Added
CVE‑2026‑41651 (Pack2TheRoot): PackageKit D‑Bus race that writes a setuid‑root bash.
CVE‑2026‑46333 (pidfd race): Escalation via ssh‑keysign/shadow file‑descriptor theft.
CVE‑2026‑46331 (PEdit COW): tc‑pedit page‑cache overwrite of the su binary (kernel 5.18 – 7.1‑rc6).
CVE‑2026‑43503 (DirtyClone): ESP‑in‑UDP TEE contaminates /etc/passwd (kernel 7.1‑rc1 – rc4).
CVE‑2026‑46242 (Bad Epoll): epoll close‑vs‑close race leading to a use‑after‑free.
Usage Precautions
Use only in authorized security‑testing, penetration‑testing contracts, or incident‑response engagements.
Some exploits may trigger host‑based IDS/EDR alerts; exercise caution in production environments.
Run --dry-run first to verify applicable exploits before performing actual escalation.
Several new CVEs are version‑specific; the tool performs version checks automatically.
Project Repository
https://github.com/portbuster1337/lpe-toolkit
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
