CVE-2018-18281

Public Exploit

Description

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.

References

Link	Tags
http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html	patch third party advisory vdb entry
https://usn.ubuntu.com/3835-1/	third party advisory vendor advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16	patch vendor advisory
https://usn.ubuntu.com/3880-1/	third party advisory vendor advisory
https://usn.ubuntu.com/3871-5/	third party advisory vendor advisory
https://usn.ubuntu.com/3871-4/	third party advisory vendor advisory
http://www.openwall.com/lists/oss-security/2018/10/29/5	patch mailing list third party advisory
https://usn.ubuntu.com/3880-2/	third party advisory vendor advisory
https://usn.ubuntu.com/3832-1/	third party advisory vendor advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821	patch vendor advisory
http://www.securityfocus.com/bid/105761	third party advisory vdb entry
https://usn.ubuntu.com/3871-1/	third party advisory vendor advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78	patch vendor advisory
http://www.securityfocus.com/bid/106503	third party advisory vdb entry
https://usn.ubuntu.com/3871-3/	third party advisory vendor advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695	patch third party advisory exploit
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html	third party advisory mailing list
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135	patch vendor advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html	third party advisory mailing list
https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html	third party advisory mailing list
https://access.redhat.com/errata/RHSA-2019:0831	vendor advisory
https://access.redhat.com/errata/RHSA-2019:2043	vendor advisory
https://access.redhat.com/errata/RHSA-2019:2029	vendor advisory
https://access.redhat.com/errata/RHSA-2020:0036	vendor advisory
https://access.redhat.com/errata/RHSA-2020:0100	vendor advisory
https://access.redhat.com/errata/RHSA-2020:0103	vendor advisory
https://access.redhat.com/errata/RHSA-2020:0179	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2018-18281?: CVE-2018-18281 has been scored as a high severity vulnerability.
How to fix CVE-2018-18281?: To fix CVE-2018-18281, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-18281 being actively exploited in the wild?: It is possible that CVE-2018-18281 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-459 – Incomplete Cleanup

References

Frequently Asked Questions