CVE-2018-18955

HIGH

Linux Nested User Namespace idmap Limit Local Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2018-18955. PoCs published by Metasploit, Google Security Research, bcoles, including Metasploit module exploits/linux/local/nested_namespace_idmap_limit_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-18955, a Linux kernel vulnerability in nested user namespaces, allowing local privilege escalation to root. It leverages broken uid/gid mappings and requires unprivileged user namespaces and the uidmap package to be installed.

Description

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/45915

This Metasploit module exploits CVE-2018-18955, a Linux kernel vulnerability in nested user namespaces, allowing local privilege escalation to root. It leverages broken uid/gid mappings and requires unprivileged user namespaces and the uidmap package to be installed.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions 4.15.0 to 4.18.18 and 4.19.0 to 4.19.1
No auth needed
Prerequisites: Unprivileged user namespaces enabled · newuidmap and newgidmap helpers installed · GCC for live compilation (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · textlocallinux
https://www.exploit-db.com/exploits/45886

This exploit leverages a flaw in the Linux kernel's user namespace implementation (CVE-2018-18955) where incorrect ID mapping allows bypassing DAC controls. The PoC demonstrates reading /etc/shadow by creating nested user namespaces with specific UID mappings.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel versions with commit 6397fac4915a (4.15+)
No auth needed
Prerequisites: User namespace support enabled · Access to newuidmap helper · Specific /etc/subuid and /etc/subgid configurations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bcoles · bashlocallinux
https://www.exploit-db.com/exploits/47167

This exploit leverages CVE-2018-18955, a local privilege escalation vulnerability in polkit, to gain root access by manipulating user namespace mappings and abusing pkexec. It compiles helper binaries, creates a malicious polkit policy, and escalates privileges via SUID manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: polkit (policykit-1) on Linux systems
Auth required
Prerequisites: gcc · pkexec · newuidmap · newgidmap · writable working directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bcoles · bashlocallinux
https://www.exploit-db.com/exploits/47165

This exploit leverages CVE-2018-18955, a privilege escalation vulnerability in the Linux kernel's user namespace implementation. It uses D-Bus to execute a service as root, creating a SUID root shell at /tmp/sh.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2018-18955)
No auth needed
Prerequisites: gcc · dbus-send · newuidmap · newgidmap · writable working directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bcoles · bashlocallinux
https://www.exploit-db.com/exploits/47166

This exploit leverages CVE-2018-18955, a privilege escalation vulnerability in the Linux kernel's user namespace implementation. It uses the ld.so.preload technique to inject a malicious library, ultimately granting root access via a setuid binary.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2018-18955)
No auth needed
Prerequisites: gcc · newuidmap · newgidmap · writable working directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bcoles · bashlocallinux
https://www.exploit-db.com/exploits/47164

This exploit leverages CVE-2018-18955, a privilege escalation vulnerability in the Linux kernel's user namespace implementation. It uses a cron job to execute a payload that sets the SUID bit on a binary, granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2018-18955)
No auth needed
Prerequisites: gcc · newuidmap · newgidmap · writable working directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 21 stars
by scheatkode · poc
https://github.com/scheatkode/CVE-2018-18955

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2018-18955, targeting Linux kernels 4.15.x through 4.19.x before 4.19.2. The exploit leverages mishandled nested user namespaces to escalate privileges to root via multiple techniques (bash_completion, cron, dbus, etc.).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 4.15.x through 4.19.x before 4.19.2
Auth required
Prerequisites: CAP_SYS_ADMIN in a user namespace · newuidmap and newgidmap installed · writable working directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Jann Horn, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb

This Metasploit module exploits CVE-2018-18955, a Linux kernel vulnerability in nested user namespaces, allowing local privilege escalation to root. It leverages broken uid/gid mappings in kernels 4.15.0 to 4.18.18 and 4.19.0 to 4.19.1.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 4.15.0 to 4.18.18, 4.19.0 to 4.19.1
No auth needed
Prerequisites: Unprivileged user namespaces enabled · newuidmap and newgidmap helpers installed · gcc for live compilation (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Patch, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3836-2/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3835-1/
Patch, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3833-1/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3832-1/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45915/
Patch, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2
Exploit, Patch, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45886/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3836-1/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105941
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K39103040
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190416-0003/

Scores

CVSS v3 7.0
EPSS 0.0939
EPSS Percentile 93.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-863
Status published
Products (4)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
linux/linux_kernel 4.15 - 4.19.2
Published Nov 16, 2018
Tracked Since Feb 18, 2026