CVE-2018-18281

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 30-10-2018 07:29

Last modified: - 26-10-2022 01:44

Total changes: - 3

Description

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Low

Attack complexity

Local

Attack vector

High

Availability

High

Confidentiality

High

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

7.8

Base score

1.8

5.9

Exploitability score

Impact score

Verification logic

Reference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695
[oss-security] 20181029 Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)-Mailing List, Patch, Third Party Advisory
http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html
105761-Third Party Advisory, VDB Entry
USN-3832-1-Third Party Advisory
USN-3835-1-Third Party Advisory
106503-Third Party Advisory, VDB Entry
USN-3871-1-Third Party Advisory
USN-3880-2-Third Party Advisory
USN-3871-4-Third Party Advisory
USN-3871-3-Third Party Advisory
USN-3880-1-Third Party Advisory
USN-3871-5-Third Party Advisory
[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update-Mailing List, Third Party Advisory
[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update-Mailing List, Third Party Advisory
[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update-Mailing List, Third Party Advisory
RHSA-2019:0831-
RHSA-2019:2043-
RHSA-2019:2029-
RHSA-2020:0036-
RHSA-2020:0100-
RHSA-2020:0103-
RHSA-2020:0179-

Keywords

CVE-2018-18281

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-18281

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures