CVE-2018-19788

HIGH

PolicyKit <0.115 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2018-19788. PoCs published by Ekultek, AbsoZed, d4gh0s7.

AI-analyzed exploit summary This PoC leverages CVE-2018-19788, a vulnerability in polkit/systemd where users with a UID over INT_MAX can execute privileged systemctl commands. The exploit allows reading protected files (e.g., /etc/shadow) without a root shell by abusing systemd-run.

Description

A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

Exploits (5)

nomisec WORKING POC 19 stars
by Ekultek · poc
https://github.com/Ekultek/PoC

This PoC leverages CVE-2018-19788, a vulnerability in polkit/systemd where users with a UID over INT_MAX can execute privileged systemctl commands. The exploit allows reading protected files (e.g., /etc/shadow) without a root shell by abusing systemd-run.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: polkit/systemd (versions <= 239 for systemd, <= 115 for polkit)
Auth required
Prerequisites: User with UID > INT_MAX (e.g., 4000000000) · Access to a vulnerable systemd/polkit environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by AbsoZed · poc
https://github.com/AbsoZed/CVE-2018-19788

This PoC exploits CVE-2018-19788, a privilege escalation vulnerability in PolKit, by creating a malicious systemd service that spawns a reverse shell. It requires a user with a UID > INT_MAX or sufficient permissions to create users.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: PolKit (systemd)
Auth required
Prerequisites: User with UID > INT_MAX or permissions to create users · Access to systemd
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by d4gh0s7 · poc
https://github.com/d4gh0s7/CVE-2018-19788

This PoC exploits CVE-2018-19788, a local privilege escalation vulnerability in PolicyKit (polkit) version 0.115. It creates a malicious systemd service to escalate privileges by adding the current user to a privileged group (e.g., sudo, admin, or wheel).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: PolicyKit (polkit) version 0.115
Auth required
Prerequisites: Local user access · PolicyKit version 0.115 · systemd-based Linux distribution
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jhlongjr · poc
https://github.com/jhlongjr/CVE-2018-19788

This PoC exploits CVE-2018-19788, a PolicyKit vulnerability, by creating a user with a high UID to bypass authentication and escalate privileges. It demonstrates privilege escalation by modifying systemd services to set the SUID bit on `/usr/bin/find` and then using it to read sensitive files and gain root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: PolicyKit (polkit) on CentOS 7
Auth required
Prerequisites: Root access to create a user with a high UID · Systemd and PolicyKit installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by hyperd · poc
https://gitlab.com/hyperd/ansible-role-cve-2018-19788

This repository contains a functional Ansible role and PoC script for CVE-2018-19788, a local privilege escalation vulnerability in PolicyKit (polkit) version 0.115. The exploit leverages a UID overflow to gain elevated privileges by creating a malicious systemd service.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: PolicyKit (polkit) 0.115
Auth required
Prerequisites: Local user access · UID >= 2147483647
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3861-1/
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3861-2/
Issue Tracking, Mailing List, Third Party Advisory x_refsource_misc
https://bugs.debian.org/915332
Exploit, Patch, Third Party Advisory x_refsource_misc
https://gitlab.freedesktop.org/polkit/polkit/issues/74
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4350
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2046
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-14
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3232

Scores

CVSS v3 8.8
EPSS 0.1148
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (8)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
debian/debian_linux 8.0
debian/debian_linux 9.0
polkit_project/polkit 0.115
Published Dec 03, 2018
Tracked Since Feb 18, 2026