#VU13363 Information disclosure in Linux kernel - CVE-2018-10940
Published: June 15, 2018 / Updated: May 30, 2020
Vulnerability identifier: #VU13363
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10940
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in the cdrom_ioctl_media_changed function due to incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED IOCTL. A local attacker can execute a file or program that submits malicious input to the targeted system, trigger memory corruption and access sensitive kernel information, which could be used to conduct further attacks.
Remediation
Update to version 4.16.6.
External links
- https://github.com/torvalds/linux/commit/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.164
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.3
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.20
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.82