CVE-2018-15912

HIGH

Manjaro Linux < 20180716-1 - Improper Privilege Management via manjaro-update-system.sh

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15912. PoCs published by coderobe.

AI-analyzed exploit summary This PoC exploits CVE-2018-15912 by leveraging a race condition in manjaro-system to execute arbitrary code as root via a malicious package repository. It demonstrates privilege escalation by manipulating pacman configuration and package installation.

Description

An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system.

Exploits (1)

nomisec WORKING POC 2 stars
by coderobe · poc
https://github.com/coderobe/CVE-2018-15912-PoC

This PoC exploits CVE-2018-15912 by leveraging a race condition in manjaro-system to execute arbitrary code as root via a malicious package repository. It demonstrates privilege escalation by manipulating pacman configuration and package installation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: manjaro-system (specific version not specified)
No auth needed
Prerequisites: Local access to the target system · manjaro-system installed · pacman available
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a
Exploit, Mailing List, Vendor Advisory mailing-list x_refsource_mlist
https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html

Scores

CVSS v3 7.8
EPSS 0.0079
EPSS Percentile 51.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (1)
manjaro/manjaro_linux < 20180716-1
Published Aug 29, 2018
Tracked Since Feb 18, 2026