CVE-2018-18559
kernel: Use-after-free due to race condition in AF_PACKET implementation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.
En el kernel de Linux hasta la versión 4.19, puede ocurrir un uso de memoria previamente liberada debido a una condición de carrera entre fanout_add desde setsockopt y bind en un socket AF_PACKET. Este problema existe debido a una solución incompleta 15fe076edea787807a7cdc168df832544b58eba6 para una condición de carrera. El código gestiona de manera incorrecta cierto caso multihilado relacionado con una acción packet_do_bind no registrada seguido por una acción packet_notifier registrada. Más tarde, packet_release opera en uno solo de las dos listas enlazadas aplicables. El atacante puede lograr el control de Program Counter.
A use-after-free flaw can occur in the Linux kernel due to a race condition between packet_do_bind() and packet_notifier() functions called for an AF_PACKET socket. An unprivileged, local user could use this flaw to induce kernel memory corruption on the system, leading to an unresponsive system or to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-10-22 CVE Reserved
- 2018-10-22 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-08-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-416: Use After Free
CAPEC
References (11)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://blogs.securiteam.com/index.php/archives/3731 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHBA-2019:0327 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:0163 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:0188 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:1170 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:1190 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:3967 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2019:4159 | 2023-05-16 | |
| https://access.redhat.com/errata/RHSA-2020:0174 | 2023-05-16 | |
| https://access.redhat.com/security/cve/CVE-2018-18559 | 2020-01-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1641878 | 2020-01-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.2.95 < 3.2.100 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2.95 < 3.2.100" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.14.58 < 3.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14.58 < 3.15" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.18.25 < 3.18.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18.25 < 3.18.88" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1.14 < 4.1.49 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1.14 < 4.1.49" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2.7 < 4.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2.7 < 4.3" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.3.1 < 4.4.106 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3.1 < 4.4.106" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.5 < 4.9.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.9.70" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 4.14.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Virtualization Host Search vendor "Redhat" for product "Virtualization Host" | 4.0 Search vendor "Redhat" for product "Virtualization Host" and version "4.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus" | 7.6 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.6 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus" | 7.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0" | - |
Affected
| ||||||