CVE-2018-1000199

MEDIUM

Linux Kernel <3.18 - Memory Corruption

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1000199. PoCs published by dsfau.

AI-analyzed exploit summary This PoC exploits a Linux ptrace bug (CVE-2018-1000199) where incorrect error handling in debug register virtualization allows corruption of kernel breakpoint tracking. The code manipulates DR0 and DR7 registers via ptrace to trigger the vulnerability.

Description

The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.

Exploits (1)

nomisec WORKING POC

by dsfau · poc

https://github.com/dsfau/CVE-2018-1000199

View Code ZIP pw:eip

This PoC exploits a Linux ptrace bug (CVE-2018-1000199) where incorrect error handling in debug register virtualization allows corruption of kernel breakpoint tracking. The code manipulates DR0 and DR7 registers via ptrace to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (x86, potentially other architectures)

No auth needed

Prerequisites: Linux system with vulnerable kernel · Address of do_debug from /proc/kallsyms

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15

Core References

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4187

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1347

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1348

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4188

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1354

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1040806

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1355

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1345

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1318

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:1374

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

https://lkml.org/lkml/2018/4/6/813

Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3641-2/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3641-1/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html

Scores

CVSS v3 5.5

EPSS 0.0122

EPSS Percentile 64.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-119

Status published

Products (23)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 17.10

debian/debian_linux 7.0

debian/debian_linux 8.0

debian/debian_linux 9.0

linux/linux_kernel 3.18

redhat/enterprise_linux 7.0

redhat/enterprise_linux 7.2

... and 13 more

Published May 24, 2018

Tracked Since Feb 18, 2026