PT-2018-3627 · Linux+5 · Linux Kernel+5

Published

2018-05-09

Updated

2024-06-15

CVE-2018-1118

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Linux kernel versions 4.8 and later

Description The issue is related to the vhost new msg() function in the Linux kernel, which can lead to information disclosure. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. The problem arises because the Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system.

Recommendations For Linux kernel versions 4.8 and later, consider restricting access to the /dev/vhost-net device file to minimize the risk of exploitation. As a temporary workaround, consider disabling the vhost new msg() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Initialization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-665CWE-200

Related Identifiers

ALT-PU-2018-1943

ALT-PU-2018-1950

ALT-PU-2018-2192

ALT-PU-2018-2210

ALT-PU-2019-1433

BDU:2021-01420

CESA-2018_3083

CVE-2018-1118

DLA-1423-1

MGASA-2018-0324

MGASA-2018-0340

MGASA-2018-0341

OPENSUSE-SU-2018_2119-1

OPENSUSE-SU-2024:10728-1

OPENSUSE-SU-2024:13704-1

RHSA-2018:2948

RHSA-2018:3083

RHSA-2018:3096

RHSA-2018_3083

RHSA-2018_3096

SUSE-SU-2018:2092-1

SUSE-SU-2018:2222-1

USN-3762-1

USN-3762-2

Affected Products

Alt Linux

Centos

Linux Kernel

Red Hat

Suse

Ubuntu

PT-2018-3627 · Linux+5 · Linux Kernel+5

CVE-2018-1118

Weakness Enumeration

Related Identifiers

Affected Products

References · 609