Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2018-18281

Disclosure Date: October 30, 2018
CVE-2018-18281
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

References

Canonical
CVE-2018-18281 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281)
BID-105761 (http://www.securityfocus.com/bid/105761)
BID-106503 (http://www.securityfocus.com/bid/106503)
Advisory
USN-3835-1 (https://usn.ubuntu.com/3835-1)
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
USN-3880-1 (https://usn.ubuntu.com/3880-1)
USN-3871-5 (https://usn.ubuntu.com/3871-5)
USN-3871-4 (https://usn.ubuntu.com/3871-4)
[oss-security] 20181029 Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19) (http://www.openwall.com/lists/oss-security/2018/10/29/5)
USN-3880-2 (https://usn.ubuntu.com/3880-2)
USN-3832-1 (https://usn.ubuntu.com/3832-1)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=eb66ae030829605d61fbef1909ce310e29f78821
USN-3871-1 (https://usn.ubuntu.com/3871-1)
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
USN-3871-3 (https://usn.ubuntu.com/3871-3)
[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update (https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html)
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update (https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html)
[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update (https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html)
https://access.redhat.com/errata/RHSA-2019:0831
https://access.redhat.com/errata/RHSA-2019:2043
https://access.redhat.com/errata/RHSA-2019:2029
https://access.redhat.com/errata/RHSA-2020:0036
https://access.redhat.com/errata/RHSA-2020:0100
https://access.redhat.com/errata/RHSA-2020:0103
https://access.redhat.com/errata/RHSA-2020:0179
Miscellaneous
http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis