This issue can occur if a maliciously modified device can cause a kernel crash during media driver register.
CVE-2018-10960 exists in the Linux kernel before version 4.18. The kvm_set_msr_ Host CPU extensions can be exploited to leak host physical address through unknown vectors.
CVE-2018-10965 exists in the Linux kernel before version 3.18. The splice() system call mishandles reductions.
CVE-2018-10967 exists in the Linux kernel before version 4.18. The vhost_copy_skb function in virtual host ( virt/host/vhost_copy.c ) does not initialize a certain data structure, which allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact.
CVE-2018-10969 exists in the Linux kernel before version 4.18. The blkdev_get_data function in block/blkdev.c mishandles a request for data from an invalid device.
Concretely, attackers can cause a denial of service by triggering a memory corruption.
CVE-2018-10970 exists in the Linux kernel before version 4.18. The perf_event_ns_event function in kernel/events/core.c has an integer overflow because it fails to validate the length of an argument.
An attacker can exploit this to crash the system.
Linux kernel version information
Linux kernel: 4.12.14-1~deb9u1
Linux kernel: 4.11.5-1
Linux kernel: 3.2.93
Code execution vulnerability in the Linux kernel
The "compat_ioctl32" function in fs/ioctl32.c can be called with incorrect parameters, allowing a local user to cause a denial of service (system crash) or gain administrative privileges.
Operation Scenarios and Outcomes
CVE-2018-10971 exists in the Linux kernel before version 4.18. The nfs4_do_layout function in fs/nfs/nfs4xdr.c does not validate a certain payload length, which allows local users to cause a denial of service (kernel OOPS) or possibly have unspecified other impact via crafted use of the enospc ioctl call.
An attacker could exploit this by sending a long argument to the nfsd ioctl, causing a kernel crash and system reboot.
CVE-2018-10972 is an issue that can occur when the fuse_fill_write() function fails to check the return value of write(). An attacker could exploit this by mapping non-existing or unwritable pages, triggering memory corruption and a kernel crash.
Published on: 11/25/2022 04:15:00 UTC
Last modified on: 11/29/2022 21:00:00 UTC