CVE-2018-5333

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-5333. PoCs published by TamiiLambrado, Mohamed Ghannam, Jann Horn, wbowling, bcoles, nstarke, including Metasploit module exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.

AI-analyzed exploit summary This PoC demonstrates a NULL pointer dereference vulnerability in the Linux kernel's RDS socket implementation (CVE-2018-5333). It exploits improper handling of ancillary data in the `rds_cmsg_atomic` function, leading to a crash when `rds_atomic_free_op` is called on an uninitialized scatterlist.

Description

In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.

Exploits (3)

github WORKING POC 3 stars

by TamiiLambrado · cpoc

https://github.com/TamiiLambrado/CVE-pocs/tree/master/CVE-2018-5333-rds-nullderef.c

View Code ZIP pw:eip

This PoC demonstrates a NULL pointer dereference vulnerability in the Linux kernel's RDS socket implementation (CVE-2018-5333). It exploits improper handling of ancillary data in the `rds_cmsg_atomic` function, leading to a crash when `rds_atomic_free_op` is called on an uninitialized scatterlist.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel (v2.6.36-rc1 to v4.14.13)

No auth needed

Prerequisites: Linux system with RDS socket support enabled · Ability to create RDS sockets

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 27, 2026 Full analysis →

metasploit WORKING POC GOOD

by Mohamed Ghannam, Jann Horn, wbowling, bcoles, nstarke · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a NULL pointer dereference in the `rds_atomic_free_op` function in the Linux kernel's RDS module (CVE-2018-5333) to achieve local privilege escalation. It combines this with a MAP_GROWSDOWN mmap_min_addr bypass (CVE-2019-9213) and includes KASLR/SMEP bypasses.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic and 4.8.0 <= 4.8.0-54-generic)

No auth needed

Prerequisites: RDS kernel module loaded (or not blacklisted) · 64-bit Ubuntu-based system · SMAP disabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 23, 2026 Full analysis →

exploitdb WORKING POC

rubylocallinux

https://www.exploit-db.com/exploits/47957

View Code ZIP pw:eip

This Metasploit module exploits a NULL pointer dereference in the `rds_atomic_free_op` function in the Linux kernel's RDS module (CVE-2018-5333) to achieve local privilege escalation. It combines this with a MAP_GROWSDOWN mmap_min_addr bypass (CVE-2019-9213) and includes KASLR/SMEP bypasses.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel 4.4.0-116-generic and 4.8.0-54-generic (Ubuntu 16.04)

No auth needed

Prerequisites: RDS kernel module loaded · 64-bit Ubuntu 16.04 system · SMAP disabled

MITRE ATT&CK