A vulnerability classified as problematic has been found in Linux Kernel up to 4.13 (Operating System). Affected is the function f2fs_wait_discard_bios of the component f2fs. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on availability. CVE summarizes:

The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.

The bug was discovered 10/03/2017. The weakness was shared 02/26/2018 as confirmed git commit (GIT Repository). The advisory is available at git.kernel.org. This vulnerability is traded as CVE-2017-18200 since 02/25/2018. Local access is required to approach this attack. The successful exploitation needs a authentication. Technical details are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 145 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 4.14 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be patching the affected component.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion