CVE-2018-16882

Ubuntu Security Notice USN-3878-1

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.

Se ha detectado un uso de memoria previamente liberada en la manera en la que el hypervisor KVM del kernel de Linux procesa las interrupciones publicadas cuando la virtualización "nested(=1)" se encuentra habilitada. En caso de que se produzca un error durante el procesamiento de las direcciones de las interrupciones publicadas, nested_get_vmcs12_pages() desmapea "pi_desc_page" sin restablecer la dirección del descriptor "pi_desc", la cual se utiliza posteriormente en pi_test_and_clear_on(). Un usuario invitado/proceso podría aprovechar este fallo para forzar un cierre inesperado en el kernel del host, lo que resultaría en DoS o en el acceso privilegiado a un sistema. Las versiones del kernel anteriores a la 4.14.91 y la 4.19.13 son vulnerables.

It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information. Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use. A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-11 CVE Reserved
2019-01-03 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (13)

URL	Tag	Source
http://www.securityfocus.com/bid/106254	Third Party Advisory
https://lwn.net/Articles/775720	Third Party Advisory
https://lwn.net/Articles/775721	Third Party Advisory
https://support.f5.com/csp/article/K80557033	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16882	2023-01-19
https://marc.info/?l=kvm&m=154514994222809&w=2	2023-01-19

URL	Date	SRC
https://usn.ubuntu.com/3871-1	2023-01-19
https://usn.ubuntu.com/3871-3	2023-01-19
https://usn.ubuntu.com/3871-4	2023-01-19
https://usn.ubuntu.com/3871-5	2023-01-19
https://usn.ubuntu.com/3872-1	2023-01-19
https://usn.ubuntu.com/3878-1	2023-01-19
https://usn.ubuntu.com/3878-2	2023-01-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.14.91 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.14.91"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.13"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected