Vulnetix
Try Vulnetix Request Demo
CVE-2018-18955 PUBLISHED

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

EPSS 12.22% · 93.8th percentile

Risk Scores

EPSS Score
12.22%
93.8th percentile

Affected Products

VendorProductVersions
Ubuntu:14.04:LTSlinux-azure0, 4.15.0-1032.33~14.04.2, 4.15.0-1023.24~14.04.1
Ubuntu:18.04:LTSlinux-oem4.15.0-1006.9, 4.15.0-1004.5, 4.15.0-1002.3
Ubuntu:18.04:LTSlinux-raspi24.15.0-1022.24, 4.15.0-1020.22, 4.15.0-1018.19
Ubuntu:16.04:LTSlinux-azure4.15.0-1025.26~16.04.1, 0, 4.11.0-1009.9
Ubuntu:18.04:LTSlinux-kvm4.15.0-1002.2, 0, 4.15.0-1026.26
Ubuntu:16.04:LTSlinux-gcp4.15.0-1021.22~16.04.1, 4.15.0-1024.25~16.04.2, 4.13.0-1002.5
Ubuntu:18.04:LTSlinux-gcp4.15.0-1024.25, 4.15.0-1023.24, 4.15.0-1021.22
Ubuntu:16.04:LTSlinux-hwe4.8.0-51.54~16.04.1, 4.8.0-52.55~16.04.1, 4.8.0-53.56~16.04.1
Ubuntu:18.04:LTSlinux-aws4.15.0-1016.16, 4.15.0-1011.11, 4.15.0-1010.10
Ubuntu:18.04:LTSlinux-azure4.15.0-1003.3, 4.15.0-1014.14, 4.15.0-1013.13
Ubuntu:18.04:LTSlinux4.15.0-39.42, 4.15.0-38.41, 4.15.0-36.39

Timeline

References

Open in Interactive Console →