#VU10925 Improper input validation in Linux kernel - CVE-2018-1000026

Cybersecurity Help s.r.o.

Published: 2018-03-12 | Updated: 2020-05-30

Vulnerability identifier: #VU10925

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-1000026

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the bnx2x network card driver due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted packet to the affected network card and cause the system to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 4.4.96, 4.8.0 - 4.8.17, 4.9 - 4.9.158, 4.10.0 - 4.15.7

External links
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8914a595110a6eca69a5e2...
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.159
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.102

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE Linux update for the Linux Kernel

OpenSUSE Linux update for the Linux Kernel

Denial of service in Linux Kernel