CVE-2018-18281
kernel: TLB flush happens too late on mremap
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.
Desde la versión 3.2 del kernel de Linux, la syscall mremap() realiza vaciados TLB tras soltar bloqueos de tabla de página. Si una syscall como ftruncate() elimina las entradas de las tablas de página de una tarea en medio de mremap(), una entrada TLB obsoleta puede permanecer por poco tiempo, lo que permite el acceso a una página física una vez se ha devuelto al asignador de páginas y se reutiliza. Esto se ha solucionado en las siguientes versiones del kernel: 4.9.135, 4.14.78, 4.18.16 y 4.19.
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.
Linux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-10-12 CVE Reserved
- 2018-10-29 CVE Published
- 2023-10-24 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-459: Incomplete Cleanup
- CWE-672: Operation on a Resource after Expiration or Release
CAPEC
References (29)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/105761 | Third Party Advisory | |
| http://www.securityfocus.com/bid/106503 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://bugs.chromium.org/p/project-zero/issues/detail?id=1695 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:0831 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2019:2029 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2019:2043 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2020:0036 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2020:0100 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2020:0103 | 2020-08-24 | |
| https://access.redhat.com/errata/RHSA-2020:0179 | 2020-08-24 | |
| https://usn.ubuntu.com/3832-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3835-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3871-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3871-3 | 2020-08-24 | |
| https://usn.ubuntu.com/3871-4 | 2020-08-24 | |
| https://usn.ubuntu.com/3871-5 | 2020-08-24 | |
| https://usn.ubuntu.com/3880-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3880-2 | 2020-08-24 | |
| https://access.redhat.com/security/cve/CVE-2018-18281 | 2020-01-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1645121 | 2020-01-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.2 < 4.9.135 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 4.9.135" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.9.136 < 4.14.78 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9.136 < 4.14.78" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.14.79 < 4.18.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14.79 < 4.18.16" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18.17 < 4.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18.17 < 4.19" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||