CVE-2018-1000140

CRITICAL

rsyslog librelp <1.2.14 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1000140. PoCs published by s0.

AI-analyzed exploit summary This repository contains a fixed version of librelp addressing CVE-2018-1000140, a vulnerability in the RELP protocol implementation. The code includes example sender/receiver implementations and core library fixes for session handling and command processing.

Description

rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.

Exploits (2)

nomisec WORKING POC
by s0 · poc
https://github.com/s0/rsyslog-librelp-CVE-2018-1000140-fixed

This repository contains a fixed version of librelp addressing CVE-2018-1000140, a vulnerability in the RELP protocol implementation. The code includes example sender/receiver implementations and core library fixes for session handling and command processing.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: librelp (used in rsyslog)
No auth needed
Prerequisites: Network access to a vulnerable librelp service · Ability to send crafted RELP packets
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by s0 · poc
https://github.com/s0/rsyslog-librelp-CVE-2018-1000140

This repository contains a proof-of-concept exploit for CVE-2018-1000140, a vulnerability in librelp. The exploit includes example sender and receiver code to demonstrate the flaw, along with the necessary library modifications.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: librelp (used in rsyslog)
No auth needed
Prerequisites: Access to a vulnerable librelp instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Exploit, Third Party Advisory
https://lgtm.com/rules/1505913226124/
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/3612-1/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201804-21
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1703
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1704
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1702
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1225
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1707
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1223
Third Party Advisory vendor-advisory
https://www.debian.org/security/2018/dsa-4151
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2018:1701

Scores

CVSS v3 9.8
EPSS 0.0966
EPSS Percentile 94.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (25)
canonical/ubuntu_linux 14.04
debian/debian_linux 8.0
debian/debian_linux 9.0
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 6.6
redhat/enterprise_linux_server_aus 7.2
redhat/enterprise_linux_server_aus 7.3
... and 15 more
Published Mar 23, 2018
Tracked Since Feb 18, 2026