Race condition in Linux kernel - CVE-2018-5873
Published: July 6, 2018 / Updated: June 28, 2025
Vulnerability identifier: #VU36952
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5873
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.
How to mitigate CVE-2018-5873
Install update from vendor's website.
Sources
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073c516ff73557a8f731506685...
- https://github.com/torvalds/linux/commit/073c516ff73557a8f7315066856c04b50383ac34
- https://source.android.com/security/bulletin/2018-07-01
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=34742aaf7cb16c95edba4a7afed6d2c4fa7e...
- https://www.codeaurora.org/security-bulletin/2018/07/02/july-2018-code-aurora-security-bulletin