Local Privilege Escalation (LPE)

A Local Privilege Escalation vulnerability lets an attacker who already has some access to a machine — a low-privilege user account, a sandboxed process, a compromised service — raise that access to administrator/root level. LPE is the second half of most real-world intrusions: the attacker gets a foothold one way, then uses an LPE bug to gain the privileges needed to disable defences, install persistence, or read everyone else's data on the box.

Why it matters

An LPE bug alone is not how an intrusion starts — it is how an intrusion succeeds. Without LPE, an attacker who phishes a user is constrained to that user's permissions. With LPE, the same phish turns into full domain compromise. Defenders should treat LPE flaws on shared systems (servers, jump hosts, developer workstations) as urgent even when CVSS scores look modest, because the attack vector is local.

How we identify LPE on this site

The LPE badge on a CVE page is deterministic. We emit it when both of the following are true:

CVSS attack vector is Local (AV:L) — i.e. the attacker must already be on the machine; and
The CVE is mapped to a CWE in the privilege-management family: CWE-269 (Improper Privilege Management), CWE-250 (Execution with Unnecessary Privileges), CWE-426 (Untrusted Search Path), CWE-732 (Incorrect Permission Assignment for Critical Resource), or CWE-284 (Improper Access Control).

What to do when you see the badge

LPE matters most on systems where multiple identities share a kernel: multi-user servers, container hosts, build agents, kiosks, and workstations used to access sensitive data. Patch promptly and harden the surrounding controls. The CVE page links to NIST 800-53 r5 controls most relevant to defending against LPE.