CVE-2018-18281

HIGH

Linux kernel <4.2 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18281. PoCs published by codecat007.

AI-analyzed exploit summary This PoC demonstrates a race condition in the Linux kernel's mremap and ftruncate system calls, leading to a use-after-free vulnerability. The exploit uses multithreading to trigger the race, potentially causing memory corruption or a segmentation fault.

Description

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.

Exploits (1)

github WORKING POC 8 stars

by codecat007 · cpoc

https://github.com/codecat007/cvehub/tree/main/android/kernel/CVE-2018-18281

View Code ZIP pw:eip

This PoC demonstrates a race condition in the Linux kernel's mremap and ftruncate system calls, leading to a use-after-free vulnerability. The exploit uses multithreading to trigger the race, potentially causing memory corruption or a segmentation fault.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2018-18281)

No auth needed

Prerequisites: Modified kernel with specific patch applied · Compilation with pthread support

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (27)

Core 27

Core References

Patch, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3835-1/

Patch, Vendor Advisory x_refsource_confirm

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3880-1/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3871-5/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3871-4/

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2018/10/29/5

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3880-2/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3832-1/

Patch, Vendor Advisory x_refsource_confirm

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105761

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3871-1/

Patch, Vendor Advisory x_refsource_confirm

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106503

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3871-3/

Exploit, Patch, Third Party Advisory x_refsource_misc

https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html

Patch, Vendor Advisory x_refsource_confirm

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0831

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2043

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2029

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0036

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0100

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0103

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0179

Scores

CVSS v3 7.8

EPSS 0.0023

EPSS Percentile 45.7%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-459

Status published

Products (7)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

debian/debian_linux 8.0

linux/linux_kernel 3.2 - 4.9.135

Published Oct 30, 2018

Tracked Since Feb 18, 2026