CVE-2018-1000001

HIGH EXPLOITED

glibc < 2.26 - Buffer Underflow and Potential Code Execution via realpath()

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-1000001 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Metasploit, halfdog, 0x00-0x00, including a Metasploit module exploits/linux/local/glibc_realpath_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-1000001, a buffer underflow in glibc's realpath() function, to achieve local privilege escalation on Linux systems. It uses the RationalLove exploit to create a SUID root shell, targeting glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.

Description

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/44889

This Metasploit module exploits CVE-2018-1000001, a buffer underflow in glibc's realpath() function, to achieve local privilege escalation on Linux systems. It uses the RationalLove exploit to create a SUID root shell, targeting glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) versions 2.26 and prior
No auth needed
Prerequisites: Unprivileged user namespaces enabled · GCC installed (for live compilation) · Writable directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by halfdog · clocallinux
https://www.exploit-db.com/exploits/43775

This exploit targets a buffer underflow vulnerability in glibc's realpath() function (CVE-2018-1000001). It uses ASLR-aware techniques and format string manipulation to achieve arbitrary code execution, specifically targeting Debian Stretch, Ubuntu Xenial, and Linux Mint 18.3.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: glibc (versions 2.24-11+deb9u1, 2.23-0ubuntu9, and related)
No auth needed
Prerequisites: Access to a vulnerable system with glibc realpath() buffer underflow · Ability to execute the compiled binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 32 stars
by 0x00-0x00 · local
https://github.com/0x00-0x00/CVE-2018-1000001

This exploit demonstrates a buffer underflow in glibc's realpath() function, leveraging ASLR-aware techniques to achieve arbitrary code execution. It targets specific Linux distributions (Debian Stretch, Ubuntu Xenial, Linux Mint Sylvia) by exploiting a vulnerability in the umount binary.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: glibc (versions 2.24-11+deb9u1, 2.23-0ubuntu9, and related)
No auth needed
Prerequisites: Access to a vulnerable Linux system with glibc versions affected by CVE-2018-1000001 · Ability to execute the compiled exploit binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by usernameid0 · remote
https://github.com/usernameid0/tools-for-CVE-2018-1000001

This repository contains a proof-of-concept exploit for CVE-2018-1000001, which targets a buffer underflow vulnerability in the `realpath` function in the GNU C Library (glibc). The exploit leverages the vulnerability to achieve local privilege escalation by manipulating the stack and using ROP (Return-Oriented Programming) techniques.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: GNU C Library (glibc) versions affected by CVE-2018-1000001
No auth needed
Prerequisites: Access to a vulnerable system with unprivileged user namespace cloning enabled · Presence of the vulnerable glibc version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/5H311-1NJ3C706/local-root-exploits

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2018-1000001, targeting a vulnerability in the Linux kernel's USB-MIDI driver. The exploit uses a ROP chain to bypass SMEP and escalate privileges to root, requiring physical access to the machine.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (USB-MIDI driver)
No auth needed
Prerequisites: Physical access to the target machine · USB device emulation (e.g., Facedancer21) · Kernel symbols and ROP gadgets addresses
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC NORMAL
by halfdog, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/glibc_realpath_priv_esc.rb

This Metasploit module exploits a buffer underflow in glibc's realpath() function (CVE-2018-1000001) to achieve local privilege escalation on Linux systems with vulnerable glibc versions (2.23-0ubuntu9 and 2.24-11+deb9u1). It requires unprivileged user namespaces to be enabled and compiles or drops a pre-compiled exploit binary to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GNU C Library (glibc) versions 2.26 and prior
No auth needed
Prerequisites: Unprivileged user namespaces enabled · Vulnerable glibc version (2.23-0ubuntu9 or 2.24-11+deb9u1) · Write access to a directory (default: /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190404-0003/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2018/q1/38
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3534-1/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102525
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44889/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43775/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3536-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0805
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040162

Scores

CVSS v3 7.8
EPSS 0.4142
EPSS Percentile 97.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-01-26
CWE
CWE-787
Status published
Products (12)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
gnu/glibc < 2.26
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.6
redhat/enterprise_linux_server_eus 7.6
redhat/enterprise_linux_server_tus 7.6
... and 2 more
Published Jan 31, 2018
Tracked Since Feb 18, 2026