{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-10-29T00:00:00", "descriptions": [{"lang": "en", "value": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-21T19:06:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html"}, {"name": "USN-3835-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3835-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16"}, {"name": "USN-3880-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3880-1/"}, {"name": "USN-3871-5", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3871-5/"}, {"name": "USN-3871-4", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3871-4/"}, {"name": "[oss-security] 20181029 Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2018/10/29/5"}, {"name": "USN-3880-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3880-2/"}, {"name": "USN-3832-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3832-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821"}, {"name": "105761", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105761"}, {"name": "USN-3871-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3871-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78"}, {"name": "106503", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106503"}, {"name": "USN-3871-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3871-3/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1695"}, {"name": "[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135"}, {"name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"}, {"name": "[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"}, {"name": "RHSA-2019:0831", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:0831"}, {"name": "RHSA-2019:2043", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2043"}, {"name": "RHSA-2019:2029", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2029"}, {"name": "RHSA-2020:0036", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0036"}, {"name": "RHSA-2020:0100", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0100"}, {"name": "RHSA-2020:0103", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0103"}, {"name": "RHSA-2020:0179", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0179"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18281", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html"}, {"name": "USN-3835-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3835-1/"}, {"name": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16", "refsource": "CONFIRM", "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16"}, {"name": "USN-3880-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3880-1/"}, {"name": "USN-3871-5", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3871-5/"}, {"name": "USN-3871-4", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3871-4/"}, {"name": "[oss-security] 20181029 Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2018/10/29/5"}, {"name": "USN-3880-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3880-2/"}, {"name": "USN-3832-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3832-1/"}, {"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821", "refsource": "CONFIRM", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821"}, {"name": "105761", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105761"}, {"name": "USN-3871-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3871-1/"}, {"name": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78", "refsource": "CONFIRM", "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78"}, {"name": "106503", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106503"}, {"name": "USN-3871-3", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3871-3/"}, {"name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1695", "refsource": "MISC", "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1695"}, {"name": "[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"}, {"name": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135", "refsource": "CONFIRM", "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135"}, {"name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"}, {"name": "[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"}, {"name": "RHSA-2019:0831", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:0831"}, {"name": "RHSA-2019:2043", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2043"}, {"name": "RHSA-2019:2029", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2029"}, {"name": "RHSA-2020:0036", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0036"}, {"name": "RHSA-2020:0100", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0100"}, {"name": "RHSA-2020:0103", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0103"}, {"name": "RHSA-2020:0179", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0179"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18281", "datePublished": "2018-10-30T18:00:00", "dateReserved": "2018-10-12T00:00:00", "dateUpdated": "2020-01-21T19:06:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "00CE0B27-26A0-4307-A248-A29D516525D0", "versionEndExcluding": "4.9.135", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D99EB273-47E2-4E77-9D0D-64C726857DF5", "versionEndExcluding": "4.14.78", "versionStartIncluding": "4.9.136", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D9D80C7-B3D0-4087-8868-7781AB50744E", "versionEndExcluding": "4.18.16", "versionStartIncluding": "4.14.79", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "570A682A-5DCF-4050-BFF8-74BA56FF487C", "versionEndExcluding": "4.19", "versionStartIncluding": "4.18.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19."}, {"lang": "es", "value": "Desde la versi\u00f3n 3.2 del kernel de Linux, la syscall mremap() realiza vaciados TLB tras soltar bloqueos de tabla de p\u00e1gina. Si una syscall como ftruncate() elimina las entradas de las tablas de p\u00e1gina de una tarea en medio de mremap(), una entrada TLB obsoleta puede permanecer por poco tiempo, lo que permite el acceso a una p\u00e1gina f\u00edsica una vez se ha devuelto al asignador de p\u00e1ginas y se reutiliza. Esto se ha solucionado en las siguientes versiones del kernel: 4.9.135, 4.14.78, 4.18.16 y 4.19."}], "id": "CVE-2018-18281", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-30T18:29:00.737", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2018/10/29/5"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105761"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106503"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:0831"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2029"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2043"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0036"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0100"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0103"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2020:0179"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1695"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3832-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3835-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3871-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3871-3/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3871-4/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3871-5/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3880-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3880-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-459"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}