// For flags

CVE-2018-16884

kernel: nfs: use-after-free in svc_process_common()

Severity Score

8.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Se ha encontrado un error en el subsistema de archivos NFS41+ del kernel de Linux. Las comparticiones de NFS41+ montadas en diferentes espacios de nombre al mismo tiempo pueden hacer que bc_svc_process() emplee el ID de canal trasero erróneo y provoque una vulnerabilidad de uso de memoria previamente liberada. Así, un usuario contenedor malicioso puede provocar la corrupción de la memoria host del kernel y un pánico del sistema. Debido a la naturaleza del error, no se puede descartar totalmente un escalado de privilegios.

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-09-11 CVE Reserved
  • 2018-12-18 CVE Published
  • 2023-12-12 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
References (24)
URL Tag Source
http://www.securityfocus.com/bid/106253 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html Mailing List
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html Mailing List
https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html Mailing List
https://support.f5.com/csp/article/K21430012 Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
URL Date SRC
URL Date SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16884 2023-08-11
https://patchwork.kernel.org/cover/10733767 2023-08-11
https://patchwork.kernel.org/patch/10733769 2023-08-11
URL Date SRC
https://access.redhat.com/errata/RHSA-2019:1873 2023-08-11
https://access.redhat.com/errata/RHSA-2019:1891 2023-08-11
https://access.redhat.com/errata/RHSA-2019:2696 2023-08-11
https://access.redhat.com/errata/RHSA-2019:2730 2023-08-11
https://access.redhat.com/errata/RHSA-2019:3309 2023-08-11
https://access.redhat.com/errata/RHSA-2019:3517 2023-08-11
https://access.redhat.com/errata/RHSA-2020:0204 2023-08-11
https://usn.ubuntu.com/3932-1 2023-08-11
https://usn.ubuntu.com/3932-2 2023-08-11
https://usn.ubuntu.com/3980-1 2023-08-11
https://usn.ubuntu.com/3980-2 2023-08-11
https://usn.ubuntu.com/3981-1 2023-08-11
https://usn.ubuntu.com/3981-2 2023-08-11
https://access.redhat.com/security/cve/CVE-2018-16884 2020-07-07
https://bugzilla.redhat.com/show_bug.cgi?id=1660375 2020-07-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.7 < 3.16.65
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 3.16.65"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.133
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.133"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.4.171
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.171"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.5 < 4.9.151
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.9.151"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.10 < 4.14.94
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.94"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.15 < 4.19.16
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.16"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.20 < 4.20.3
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 4.20.3"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Mrg
Search vendor "Redhat" for product "Enterprise Mrg"
 2.0
Search vendor "Redhat" for product "Enterprise Mrg" and version "2.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected