Information disclosure in Linux kernel - CVE-2018-10940
Published: June 15, 2018 / Updated: May 30, 2020
Vulnerability identifier: #VU13363
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10940
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in the cdrom_ioctl_media_changed function due to incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED IOCTL. A local attacker can execute a file or program that submits malicious input to the targeted system, trigger memory corruption and access sensitive kernel information, which could be used to conduct further attacks.
How to mitigate CVE-2018-10940
Update to version 4.16.6.
Sources
- https://github.com/torvalds/linux/commit/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.164
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.3
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.20
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.82