CVE-2018-20856

kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.

El servidor web en ZENworks Configuration Management (ZCM) de Novell versión 10.3 y versión 11.2 anteriores a 11.2.4, no realiza apropiadamente la autenticación para el archivo zenworks/jsp/index.jsp, lo que permite a los atacantes remotos realizar ataques de salto de directorio y en consecuencia cargar y ejecutar programas arbitrarios, por medio de una petición al puerto TCP 443.

A flaw was found in the Linux kernel’s block driver implementation (blk_drain_queue() function) where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local memory, which may lead to privilege escalation.

It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code. Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-07-26 CVE Reserved
2019-07-26 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-416: Use After Free

CAPEC

References (26)

URL	Tag	Source
http://packetstormsecurity.com/files/154059/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html	X_refsource_misc
http://packetstormsecurity.com/files/154408/Kernel-Live-Patch-Security-Notice-LSN-0055-1.html	X_refsource_misc
http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html	X_refsource_misc
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html	Mailing List
https://seclists.org/bugtraq/2019/Aug/18	Mailing List
https://seclists.org/bugtraq/2019/Aug/26	Mailing List
https://security.netapp.com/advisory/ntap-20190905-0002	X_refsource_confirm
https://support.f5.com/csp/article/K14673240?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54648cf1ec2d7f4b6a71767799c45676a138ca24	2023-11-07
https://github.com/torvalds/linux/commit/54648cf1ec2d7f4b6a71767799c45676a138ca24	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:3055	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3076	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3089	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3217	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0100	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0103	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0543	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0664	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0698	2023-11-07
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.7	2023-11-07
https://usn.ubuntu.com/4094-1	2023-11-07
https://usn.ubuntu.com/4116-1	2023-11-07
https://usn.ubuntu.com/4118-1	2023-11-07
https://www.debian.org/security/2019/dsa-4497	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-20856	2020-03-03
https://bugzilla.redhat.com/show_bug.cgi?id=1738705	2020-03-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.18.7 Search vendor "Linux" for product "Linux Kernel" and version " < 4.18.7"		-		Affected