CVE-2018-7566

kernel: race condition in snd_seq_write() may lead to UAF or OOB-access

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.

El kernel de Linux 4.15 tiene un desbordamiento de búfer mediante una operación de escritura ioctl SNDRV_SEQ_IOCTL_SET_CLIENT_POOL en /dev/snd/seq por un usuario local.

ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.

An update that fixes four vulnerabilities is now available. This update for the Linux Kernel 3.12.74-60_64_51 fixes several issues. The following security issues were fixed. An elevation of privilege vulnerability was fixed in the kernel v4l2 video driver.A flaw was found in the Linux kernels implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. A race condition vulnerability existed in the sound system, which could lead to a deadlock and denial of service condition.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-28 CVE Reserved
2018-03-28 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (22)

URL	Tag	Source
http://www.securityfocus.com/bid/103605	Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html	Mailing List
https://www.oracle.com/security-alerts/cpujul2020.html	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html	2020-08-24
https://bugzilla.redhat.com/show_bug.cgi?id=1550142	2019-06-17
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d15d662e89fc667b90cd294b0eb45694e33144da	2020-08-24
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	2020-08-24

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00067.html	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2384	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2390	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2395	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2948	2020-08-24
https://access.redhat.com/errata/RHSA-2019:1483	2020-08-24
https://access.redhat.com/errata/RHSA-2019:1487	2020-08-24
https://usn.ubuntu.com/3631-1	2020-08-24
https://usn.ubuntu.com/3631-2	2020-08-24
https://usn.ubuntu.com/3798-1	2020-08-24
https://usn.ubuntu.com/3798-2	2020-08-24
https://www.debian.org/security/2018/dsa-4187	2020-08-24
https://www.debian.org/security/2018/dsa-4188	2020-08-24
https://access.redhat.com/security/cve/CVE-2018-7566	2019-06-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Module For Public Cloud Search vendor "Suse" for product "Linux Enterprise Module For Public Cloud"				12 Search vendor "Suse" for product "Linux Enterprise Module For Public Cloud" and version "12"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				12 Search vendor "Suse" for product "Linux Enterprise Server" and version "12"		ltss		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.5 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.5"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Tus Search vendor "Redhat" for product "Enterprise Linux Server Tus"				7.6 Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "7.6"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Eagle Application Processor Search vendor "Oracle" for product "Communications Eagle Application Processor"				16.1.0 Search vendor "Oracle" for product "Communications Eagle Application Processor" and version "16.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Eagle Application Processor Search vendor "Oracle" for product "Communications Eagle Application Processor"				16.2.0 Search vendor "Oracle" for product "Communications Eagle Application Processor" and version "16.2.0"		-		Affected