CVE-2018-1066 in Linux
Summary
by MITRE
The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/14/2025
The vulnerability identified as CVE-2018-1066 represents a critical NULL pointer dereference flaw within the Linux kernel's CIFS (Common Internet File System) implementation. This security weakness exists in kernel versions prior to 4.11 and specifically affects the fs/cifs/cifsencrypt.c file within the setup_ntlmv2_rsp() function. The flaw manifests when a CIFS client attempts to establish or recover a session with a malicious CIFS server that has been configured to send an empty TargetInfo field during the NTLMSSP (NT LAN Manager Security Support Provider) negotiation process. This particular vulnerability falls under the CWE-476 category of NULL Pointer Dereference, which is a fundamental programming error that occurs when a program attempts to access a memory location through a pointer that has not been properly initialized or has been set to NULL.
The operational impact of this vulnerability is severe as it can lead to a complete system crash known as a kernel panic on any Linux client that has a CIFS share mounted from a compromised server. When the client encounters the malformed NTLMSSP response containing the empty TargetInfo field, the kernel's handling routine fails to properly validate the incoming data structure before attempting to dereference a pointer that points to NULL. This results in an immediate system halt where the kernel terminates all processes and displays an error message indicating the kernel panic condition. The attack vector is particularly concerning because it requires minimal privileges from the attacker who only needs to control a CIFS server that is accessible to the target client system. This makes the vulnerability exploitable in scenarios where a malicious actor has gained access to a CIFS server or has the ability to intercept and manipulate network traffic between a client and server. The vulnerability is classified under the MITRE ATT&CK technique T1210 - Exploitation of Remote Services, as it leverages a service that is commonly used for file sharing and remote access within enterprise environments.
The technical exploitation of this vulnerability occurs during the session recovery phase of CIFS communication, where the client attempts to reestablish authentication with the server. The setup_ntlmv2_rsp() function is responsible for processing the NTLMv2 response from the server and constructing the appropriate response for continued authentication. When the TargetInfo field is empty or improperly formatted, the function fails to properly check for this condition before proceeding with pointer operations. This flaw demonstrates a lack of proper input validation and error handling within the kernel's security subsystem. The vulnerability affects not only individual client systems but can potentially cause cascading failures in enterprise environments where multiple systems mount CIFS shares from the same compromised server. Organizations using older kernel versions are particularly at risk as the patch for this vulnerability was included in kernel version 4.11 and later releases. The recommended mitigation strategy involves upgrading to kernel version 4.11 or higher, which includes proper validation of the TargetInfo field and appropriate handling of empty or malformed NTLMSSP responses. Additionally, network segmentation and access controls should be implemented to limit exposure to potentially malicious CIFS servers, while monitoring for unusual authentication patterns can help detect potential exploitation attempts.