CVE-2018-15686

HIGH

Canonical Ubuntu Linux < 239 - Insecure Deserialization

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-15686. PoCs published by Google Security Research, hpcprofessional.

AI-analyzed exploit summary This exploit demonstrates a deserialization vulnerability in systemd (CVE-2018-15686) where an overlong status message from a service with NotifyAccess can corrupt systemd's state during re-execution, leading to PID spoofing or file descriptor theft.

Description

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · cdoslinux
https://www.exploit-db.com/exploits/45714

This exploit demonstrates a deserialization vulnerability in systemd (CVE-2018-15686) where an overlong status message from a service with NotifyAccess can corrupt systemd's state during re-execution, leading to PID spoofing or file descriptor theft.

Classification
Working Poc 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: systemd (versions prior to fix)
No auth needed
Prerequisites: Service with NotifyAccess != none · Ability to send status messages to systemd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by hpcprofessional · poc
https://github.com/hpcprofessional/remediate_cesa_2019_2091

This repository provides a Bolt Task for remediating CVE-2018-15686, CVE-2018-16866, and CVE-2018-16888 by updating systemd packages via yum. It is designed for Enterprise Linux 7 platforms.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: systemd on Enterprise Linux 7
Auth required
Prerequisites: Access to a vulnerable EL7 system with yum configured · Sufficient privileges to run yum update
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201810-10
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105747
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45714/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3816-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2091
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3222
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0593
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/systemd/systemd/pull/10519

Scores

CVSS v3 7.8
EPSS 0.0228
EPSS Percentile 80.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (6)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
debian/debian_linux 8.0
oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.4.0
systemd_project/systemd < 239
Published Oct 26, 2018
Tracked Since Feb 18, 2026