Vulnerability Details : CVE-2018-13053
The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.
Vulnerability category: Overflow
Products affected by CVE-2018-13053
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-13053
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-13053
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST | |
3.3
|
LOW | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2018-13053
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-13053
-
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html
[SECURITY] [DLA 1715-1] linux-4.9 security updateMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4094-1/
USN-4094-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/4118-1/
USN-4118-1: Linux kernel (AWS) vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/3821-2/
USN-3821-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
[SECURITY] [DLA 1731-2] linux regression update
-
https://usn.ubuntu.com/3821-1/
USN-3821-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
[SECURITY] [DLA 1731-1] linux security updateMailing List;Third Party Advisory
-
https://bugzilla.kernel.org/show_bug.cgi?id=200303
200303 – UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811Issue Tracking;Patch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2029
RHSA-2019:2029 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:0831
RHSA-2019:0831 - Security Advisory - Red Hat Customer Portal
-
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=5f936e19cc0ef97dbe3a56e9498922ad5ba1edef
kernel/git/tip/tip.git - Unnamed repository; edit this file 'description' to name the repository.Patch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2043
RHSA-2019:2043 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/104671
Linux Kernel CVE-2018-13053 Local Integer Overflow VulnerabilityThird Party Advisory;VDB Entry
Jump to