CVE-2018-18559 : In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

Published 2018-10-22 16:29:00

Updated 2023-05-16 11:14:50

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2018-18559

Probability of exploitation activity in the next 30 days: 1.41%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-18559

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-18559

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Assigned by: nvd@nist.gov (Primary)
CWE-416 Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-18559

https://access.redhat.com/errata/RHSA-2019:0163

RHSA-2019:0163 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://blogs.securiteam.com/index.php/archives/3731

SSD Advisory – Linux Kernel AF_PACKET Use After Free (packet_sock) - SSD Secure Disclosure
Exploit;Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1170

RHSA-2019:1170 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHBA-2019:0327

RHBA-2019:0327 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0174

RHSA-2020:0174 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3967

RHSA-2019:3967 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0188

RHSA-2019:0188 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4159

RHSA-2019:4159 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1190

RHSA-2019:1190 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2018-18559

Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Virtualization Host » Version: 4.0
cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.2.95 and before (<) 3.2.100
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.14.58 and before (<) 3.15
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.3.1 and before (<) 4.4.106
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.2.7 and before (<) 4.3
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 3.18.25 and before (<) 3.18.88
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.5 and before (<) 4.9.70
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.1.14 and before (<) 4.1.49
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.10 and before (<) 4.14.7
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2018-18559

Exploit prediction scoring system (EPSS) score for CVE-2018-18559

CVSS scores for CVE-2018-18559

CWE ids for CVE-2018-18559

References for CVE-2018-18559

Products affected by CVE-2018-18559