Denial of service in Linux Kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-7480 CVE-2017-18200 CVE-2017-18202 |
| CWE-ID | CWE-415 CWE-20 CWE-119 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Double-free error
EUVDB-ID: #VU10769
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-7480
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the block/blk-cgroup.c source code in the blkcg_init_queue function due to double free. A remote attacker can trigger memory corruption and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsLinux kernel: 4.4.9 - 4.10.17
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.8.17:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.9.11:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.17:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Denial of service
EUVDB-ID: #VU10770
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18200
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition ob the target system.
The weakness exists in the Flash-Friendly File System (F2FS) implementation due to the improper handling of reference counts that are associated with f2fs_wait_discard_bios calls. A remote attacker can send a specially crafted fstrim command and cause a kernel panic.
Install update from vendor's website.
Vulnerable software versionsLinux kernel: 4.10 - 4.13.6
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU10805
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18202
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the mm/oom_kill.c source code in the __oom_reap_task_mm function due to boundary error. A local attacker can trigger memory corruption and cause the system to crash.
Install update from vendor's website.
Linux kernel: 4.10 - 4.14.23
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
