DEV.co
Open-Source Security · The-Z-Labs

linux-exploit-suggester

Linux Exploit Suggester (LES) is a shell-based auditing tool that scans a Linux system to identify exposure to known kernel privilege escalation exploits and verify hardening security measures. It uses heuristic matching of kernel versions and configurations against a curated database of CVEs with documented exploits.

Source: GitHub — github.com/The-Z-Labs/linux-exploit-suggester
6.6k
GitHub stars
1.2k
Forks
Shell
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryThe-Z-Labs/linux-exploit-suggester
OwnerThe-Z-Labs
Primary languageShell
LicenseGPL-3.0 — OSI-approved
Stars6.6k
Forks1.2k
Open issues24
Latest releaseUnknown
Last updated2026-03-20
Sourcehttps://github.com/The-Z-Labs/linux-exploit-suggester

What linux-exploit-suggester is

LES analyzes kernel version, distribution, and compile-time/runtime security configurations to assess exploit applicability via pattern matching against tagged vulnerability data. It provides exposure risk levels (highly probable, probable, less probable) and can audit kernel hardening features (KASLR, stack protection, etc.) alongside PoC download links and exploitation prerequisites.

Quickstart

Get the linux-exploit-suggester source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/The-Z-Labs/linux-exploit-suggester.gitcd linux-exploit-suggester# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Kernel vulnerability assessment during security audits

Rapidly identify which known Linux privilege escalation CVEs a target system is likely vulnerable to, enabling prioritized remediation and patch planning.

Red team engagement support

Automate reconnaissance to determine which public exploits are most likely to work on a given kernel/distribution combination without manual research.

Compliance and hardening verification

Verify kernel security feature enablement (SMEP, KASLR, stack protectors, etc.) and document security posture gaps against hardening benchmarks.

Implementation considerations

  • Tool requires local shell access and read permissions on /proc, /sys, and kernel config—cannot run remotely over SSH without explicit invocation.
  • Exploit database is maintained manually via GitHub; users must clone or download the .sh script and keep it current to detect newly published CVEs.
  • Output includes direct download links to PoC exploits from external sources (Exploit-DB, GitHub); no built-in exploit delivery or automated compilation.
  • Requires interpretation of exposure ratings and kernel capability/CONFIG flags; false positives are possible and manual verification is essential.
  • Supports heuristic-based uname string analysis for offline assessment, but live system scanning requires execution on the target.

When to avoid it — and what to weigh

  • Offensive use without authorization — This tool is explicitly designed for privilege escalation exploitation. Any deployment must comply with applicable law and have explicit permission from system owners.
  • Reliance on exploit success without testing — LES provides heuristic risk ratings, not guarantees. Many exploits require specific kernel configurations, capabilities, or custom compilation; testing is mandatory.
  • Expectation of zero-day or unreleased vulnerability detection — LES only identifies known, published CVEs. It cannot detect novel vulnerabilities or provide network-based (agentless) scanning.
  • Production deployment without security controls — This tool is a security testing utility; running it on production systems without restricted access and monitoring could leak sensitive kernel configuration data.

License & commercial use

Licensed under GPL-3.0. This is a copyleft open-source license requiring any derivative or distributed modifications to remain under GPL-3.0 and include source code.

GPL-3.0 permits commercial use; however, any modifications or bundling into commercial products must be under GPL-3.0 with source code disclosure. Commercial support, liability indemnification, or warranty are not provided. Organizations should review their license obligations with legal counsel before distribution.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool is designed to identify vulnerabilities; it does not itself exploit systems but facilitates reconnaissance and PoC staging. Execution requires local shell access and elevated kernel introspection privileges. No authentication or output encryption; kernel configurations and CVE exposure data are logged in plaintext. Operators must restrict tool access and output to authorized personnel; uncontrolled output could disclose kernel hardening gaps to unauthorized parties. Third-party exploit downloads are not integrity-checked; PoC sources should be verified independently.

Alternatives to consider

Lynis (CISOfy)

Broader security auditing tool covering kernel hardening, package vulnerabilities, and compliance checks; provides more comprehensive system health assessment but less specialized for kernel LPE exploitation.

Kernel exploit scanner (custom or CVE-DB integration)

Organizations may build internal scanners using CVE databases (NVD, Mitre) and kernel version APIs; offers control and tailored integration but requires ongoing maintenance.

Commercial vulnerability management platforms (Tenable, Qualys)

Provide agentless network scanning, centralized CVE correlation, and remediation workflows; higher overhead but include support, compliance reporting, and vendor liability.

Software development agency

Build on linux-exploit-suggester with DEV.co software developers

Use LES to audit kernel vulnerabilities and hardening measures. Integrate into your security assessment workflow today—download the GPL-3.0 tool from GitHub.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

linux-exploit-suggester FAQ

Can LES be run remotely or over the network?
No. LES is a local shell script and requires direct shell execution on the target system. It cannot be deployed as an agent or run agentlessly; SSH or physical shell access is required.
Does LES guarantee an exploit will work?
No. LES provides heuristic risk ratings (highly probable, probable, etc.). Many exploits require specific kernel build flags, capabilities, or custom compilation. Always test PoCs in a lab environment first.
How often is the exploit database updated?
Unknown. GitHub activity shows recent commits (2026-03-20), but there is no documented release schedule or update SLA. Users should check GitHub periodically and pull the latest script.
What are the legal implications of using LES?
LES is licensed under GPL-3.0 (permissive for use and modification) but its use to exploit systems without authorization is illegal. Commercial distributions must comply with GPL-3.0 and disclose source. Always obtain explicit permission before testing systems.

Work with a software development agency

From first prototype to production, DEV.co delivers software development services around tools like linux-exploit-suggester. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Strengthen your Linux security posture

Use LES to audit kernel vulnerabilities and hardening measures. Integrate into your security assessment workflow today—download the GPL-3.0 tool from GitHub.