// For flags

CVE-2018-18281

kernel: TLB flush happens too late on mremap

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.

Desde la versión 3.2 del kernel de Linux, la syscall mremap() realiza vaciados TLB tras soltar bloqueos de tabla de página. Si una syscall como ftruncate() elimina las entradas de las tablas de página de una tarea en medio de mremap(), una entrada TLB obsoleta puede permanecer por poco tiempo, lo que permite el acceso a una página física una vez se ha devuelto al asignador de páginas y se reutiliza. Esto se ha solucionado en las siguientes versiones del kernel: 4.9.135, 4.14.78, 4.18.16 y 4.19.

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. Jann Horn discovered that the mremap system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service , expose sensitive information, or possibly execute arbitrary code. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-10-12 CVE Reserved
  • 2018-10-29 CVE Published
  • 2018-10-29 First Exploit
  • 2024-08-05 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-459: Incomplete Cleanup
  • CWE-672: Operation on a Resource after Expiration or Release
CAPEC
References (30)
URL Tag Source
http://www.securityfocus.com/bid/105761 Third Party Advisory
http://www.securityfocus.com/bid/106503 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html Mailing List
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html Mailing List
URL Date SRC
https://packetstorm.news/files/id/150001 2018-10-29
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695 2024-08-05
URL Date SRC
http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html 2020-08-24
http://www.openwall.com/lists/oss-security/2018/10/29/5 2020-08-24
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78 2020-08-24
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16 2020-08-24
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135 2020-08-24
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821 2020-08-24
URL Date SRC
https://access.redhat.com/errata/RHSA-2019:0831 2020-08-24
https://access.redhat.com/errata/RHSA-2019:2029 2020-08-24
https://access.redhat.com/errata/RHSA-2019:2043 2020-08-24
https://access.redhat.com/errata/RHSA-2020:0036 2020-08-24
https://access.redhat.com/errata/RHSA-2020:0100 2020-08-24
https://access.redhat.com/errata/RHSA-2020:0103 2020-08-24
https://access.redhat.com/errata/RHSA-2020:0179 2020-08-24
https://usn.ubuntu.com/3832-1 2020-08-24
https://usn.ubuntu.com/3835-1 2020-08-24
https://usn.ubuntu.com/3871-1 2020-08-24
https://usn.ubuntu.com/3871-3 2020-08-24
https://usn.ubuntu.com/3871-4 2020-08-24
https://usn.ubuntu.com/3871-5 2020-08-24
https://usn.ubuntu.com/3880-1 2020-08-24
https://usn.ubuntu.com/3880-2 2020-08-24
https://access.redhat.com/security/cve/CVE-2018-18281 2020-01-21
https://bugzilla.redhat.com/show_bug.cgi?id=1645121 2020-01-21
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.2 < 4.9.135
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 4.9.135"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.9.136 < 4.14.78
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9.136 < 4.14.78"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.14.79 < 4.18.16
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14.79 < 4.18.16"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.18.17 < 4.19
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18.17 < 4.19"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected