CVE-2018-1059

MEDIUM

Canonical Ubuntu Linux < 18.02.1 - Information Disclosure

Title source: rule
STIX 2.1

Description

The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable.

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2524
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2102
Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/cve-2018-1059
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3642-2/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2038
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3642-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1267
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1544298

Scores

CVSS v3 6.1
EPSS 0.0018
EPSS Percentile 39.8%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (15)
canonical/ubuntu_linux 17.10
canonical/ubuntu_linux 18.04
dpdk/data_plane_development_kit < 18.02.1
redhat/ceph_storage 3.0
redhat/enterprise_linux 7.0
redhat/enterprise_linux_fast_datapath 7.0
redhat/openshift 3.0
redhat/openstack 8
redhat/openstack 9
redhat/openstack 10
... and 5 more
Published Apr 24, 2018
Tracked Since Feb 18, 2026