VDB
CVE-2018-12233
CVE-2018-12233
PUBLISHED
In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
EPSS 0.10% · 26.6th percentile
Risk Scores
EPSS Score
0.10%
26.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | linux-oem | 4.15.0-1002.3, 4.15.0-1012.15, 0 |
| Ubuntu:14.04:LTS | linux | 3.13.0-142.191, 3.13.0-65.105, 3.13.0-65.106 |
| Ubuntu:16.04:LTS | linux-snapdragon | 4.4.0-1071.76, 4.4.0-1030.33, 4.4.0-1090.95 |
| Ubuntu:16.04:LTS | linux-aws | 4.4.0-1028.37, 4.4.0-1050.59, 4.4.0-1037.46 |
| Ubuntu:22.04:LTS | linux-intel-iot-realtime | 0, 5.15.0-1073.75 |
| Ubuntu:20.04:LTS | linux-raspi2 | 5.3.0-1007.8, 0, 5.3.0-1014.16 |
| Ubuntu:18.04:LTS | linux | 4.13.0-25.29, 0, 4.15.0-32.35 |
| Ubuntu:20.04:LTS | linux-gke | 5.4.0-1083.89, 5.4.0-1096.103, 5.4.0-1046.48 |
| Ubuntu:14.04:LTS | linux-lts-xenial | 0, 4.4.0-13.29~14.04.1, 4.4.0-14.30~14.04.2 |
| Ubuntu:18.04:LTS | linux-kvm | 4.15.0-1003.3, 4.15.0-1002.2, 4.15.0-1012.12 |
| Ubuntu:16.04:LTS | linux-azure | *, *, * |
| Ubuntu:24.04:LTS | linux-gcp-6.11 | 0, 6.11.0-1013.13~24.04.1, 6.11.0-1015.15~24.04.1 |
| Ubuntu:14.04:LTS | linux-aws | 4.4.0-1024.25, 4.4.0-1023.23, 4.4.0-1019.19 |
| Ubuntu:18.04:LTS | linux-gcp | 4.15.0-1014.14, 4.15.0-1003.3, 4.15.0-1005.5 |
| Ubuntu:16.04:LTS | linux-hwe | 4.8.0-53.56~16.04.1, *, * |
| Ubuntu:24.04:LTS | linux-hwe-6.11 | 6.11.0-19.19~24.04.1, 6.11.0-17.17~24.04.2, 0 |
| Ubuntu:16.04:LTS | linux-raspi2 | 4.4.0-1040.47, 4.2.0-1013.19, 4.2.0-1014.21 |
| Ubuntu:Pro:FIPS:16.04:LTS | linux-fips | 4.4.0-1006.6, 4.4.0-1005.5, 0 |
| Ubuntu:24.04:LTS | linux-lowlatency-hwe-6.11 | 6.11.0-1011.12~24.04.1, 6.11.0-1013.14~24.04.1, 6.11.0-1016.17~24.04.1 |
| Ubuntu:18.04:LTS | linux-azure | 4.15.0-1004.4, 4.15.0-1018.18, 4.15.0-1014.14 |
…and 12 more
Timeline
- Jun 12, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-12233 third-party-advisory
- https://lkml.org/lkml/2018/6/2/2 third-party-advisory
- https://marc.info/?l=linux-kernel&m=152814391530549&w=2 third-party-advisory
- https://ubuntu.com/security/notices/USN-3752-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3752-2 vendor-advisory
- https://ubuntu.com/security/notices/USN-3753-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3753-2 vendor-advisory
- https://ubuntu.com/security/notices/USN-3754-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3752-3 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-12233 third-party-advisory