Vulnerability Details : CVE-2018-10881
A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
Vulnerability category: OverflowMemory CorruptionDenial of service
Products affected by CVE-2018-10881
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_real_time_for_nfv:7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_real_time:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-10881
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-10881
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:L/AC:L/Au:N/C:N/I:N/A:C |
3.9
|
6.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST | |
4.2
|
MEDIUM | CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
0.5
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2018-10881
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: secalert@redhat.com (Primary)
References for CVE-2018-10881
-
http://www.securityfocus.com/bid/104901
Linux Kernel CVE-2018-10881 Local Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://usn.ubuntu.com/3754-1/
USN-3754-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.kernel.org/show_bug.cgi?id=200015
200015 – BUG() triggered in ext4_get_group_info() when mounting and operating a crafted ext4 imageExploit;Issue Tracking;Vendor Advisory
-
https://usn.ubuntu.com/3752-2/
USN-3752-2: Linux kernel (HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3096
RHSA-2018:3096 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://patchwork.ozlabs.org/patch/929792/
ext4: clear i_data in ext4_inode_info when removing inline data - PatchworkPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2948
RHSA-2018:2948 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3752-1/
USN-3752-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3083
RHSA-2018:3083 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e8ab72a812396996035a37e5ca4b3b99b5d214b
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Vendor Advisory
-
https://usn.ubuntu.com/3753-2/
USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3752-3/
USN-3752-3: Linux kernel (Azure, GCP, OEM) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html
[SECURITY] [DLA 1423-1] linux-4.9 new packageMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3753-1/
USN-3753-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10881
1596828 – (CVE-2018-10881) CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 imageIssue Tracking;Patch;Third Party Advisory
Jump to