CVE-2018-13405

HIGH

Linux Kernel < 3.16 - Privilege Escalation via SGID Directory Inode Initialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-13405. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability (CVE-2018-13405) in Linux kernels where setgid directories allow unauthorized file creation with elevated group permissions. The PoC uses `fallocate()` and `mmap()` to bypass the kernel's privilege-dropping logic, enabling arbitrary file writes with elevated group ownership.

Description

The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdoslinux

https://www.exploit-db.com/exploits/45033

View Code ZIP pw:eip

This exploit demonstrates a privilege escalation vulnerability (CVE-2018-13405) in Linux kernels where setgid directories allow unauthorized file creation with elevated group permissions. The PoC uses `fallocate()` and `mmap()` to bypass the kernel's privilege-dropping logic, enabling arbitrary file writes with elevated group ownership.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel (versions affected by CVE-2018-13405)

No auth needed

Prerequisites: Access to a system with a setgid directory (e.g., /var/crash on Ubuntu 18.04) · Ability to compile and execute C code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (28)

Core 28

Core References

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3752-2/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:3083

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3752-3/

Third Party Advisory x_refsource_misc

https://twitter.com/grsecurity/status/1015082951204327425

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3753-2/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3754-1/

Mailing List, Patch, Third Party Advisory x_refsource_misc

http://openwall.com/lists/oss-security/2018/07/13/2

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2948

Patch, Vendor Advisory x_refsource_misc

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45033/

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4266

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106503

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3752-1/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:3096

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3753-1/

Patch, Third Party Advisory x_refsource_misc

https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

View Patch ZIP pw:eip

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0717

Third Party Advisory x_refsource_confirm

https://support.f5.com/csp/article/K00854051

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2476

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2566

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2696

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2730

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:4159

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:4164

Mailing List, Patch, Vendor Advisory x_refsource_confirm

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/

Scores

CVSS v3 7.8

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (49)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04 (2 CPE variants)

canonical/ubuntu_linux 18.04

debian/debian_linux 8.0

debian/debian_linux 9.0

f5/big-ip_access_policy_manager 15.1.0

f5/big-ip_access_policy_manager 16.0.0

f5/big-ip_access_policy_manager 13.0.0 - 13.1.3.5

f5/big-ip_advanced_firewall_manager 15.1.0

f5/big-ip_advanced_firewall_manager 16.0.0

... and 39 more

Published Jul 06, 2018

Tracked Since Feb 18, 2026