CVE-2018-16884

kernel: nfs: use-after-free in svc_process_common()

Severity Score

8.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Se ha encontrado un error en el subsistema de archivos NFS41+ del kernel de Linux. Las comparticiones de NFS41+ montadas en diferentes espacios de nombre al mismo tiempo pueden hacer que bc_svc_process() emplee el ID de canal trasero erróneo y provoque una vulnerabilidad de uso de memoria previamente liberada. Así, un usuario contenedor malicioso puede provocar la corrupción de la memoria host del kernel y un pánico del sistema. Debido a la naturaleza del error, no se puede descartar totalmente un escalado de privilegios.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-11 CVE Reserved
2018-12-18 CVE Published
2024-08-05 CVE Updated
2025-05-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (24)

URL	Tag	Source
http://www.securityfocus.com/bid/106253	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html	Mailing List
https://support.f5.com/csp/article/K21430012	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16884	2023-08-11
https://patchwork.kernel.org/cover/10733767	2023-08-11
https://patchwork.kernel.org/patch/10733769	2023-08-11

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:1873	2023-08-11
https://access.redhat.com/errata/RHSA-2019:1891	2023-08-11
https://access.redhat.com/errata/RHSA-2019:2696	2023-08-11
https://access.redhat.com/errata/RHSA-2019:2730	2023-08-11
https://access.redhat.com/errata/RHSA-2019:3309	2023-08-11
https://access.redhat.com/errata/RHSA-2019:3517	2023-08-11
https://access.redhat.com/errata/RHSA-2020:0204	2023-08-11
https://usn.ubuntu.com/3932-1	2023-08-11
https://usn.ubuntu.com/3932-2	2023-08-11
https://usn.ubuntu.com/3980-1	2023-08-11
https://usn.ubuntu.com/3980-2	2023-08-11
https://usn.ubuntu.com/3981-1	2023-08-11
https://usn.ubuntu.com/3981-2	2023-08-11
https://access.redhat.com/security/cve/CVE-2018-16884	2020-07-07
https://bugzilla.redhat.com/show_bug.cgi?id=1660375	2020-07-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.7 < 3.16.65 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 3.16.65"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.133 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.133"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.4.171 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.171"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5 < 4.9.151 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.9.151"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.14.94 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.94"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.16"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 4.20.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 4.20.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Mrg Search vendor "Redhat" for product "Enterprise Mrg"				2.0 Search vendor "Redhat" for product "Enterprise Mrg" and version "2.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected