Linux Kernel 3.18 /dev/sg0 access control ⚔ [Disputed]
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel 3.18. It has been classified as critical. This issue affects some unknown processing of the file /dev/sg0. The manipulation leads to access control. This vulnerability is referenced as CVE-2018-1000204. Remote exploitation of the attack is possible. No exploit is available. There is ongoing doubt regarding the real existence of this vulnerability. To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability was found in Linux Kernel 3.18 (Operating System). It has been rated as critical. This issue affects an unknown code block of the file /dev/sg0. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream already: https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible.
The bug was discovered 06/08/2018. The weakness was published 06/26/2018 (GitHub Repository). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2018-1000204 since 06/08/2018. The attack may be initiated remotely. The requirement for exploitation is a simple authentication. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability was handled as a non-public zero-day exploit for at least 18 days. During that time the estimated underground price was around $5k-$25k. The real existence of this vulnerability is still doubted at the moment. The vulnerability scanner Nessus provides a plugin with the ID 111165 (Debian DLA-1423-1 : linux-4.9 new package (Spectre)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 157876 (Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4288)).
Applying the patch a45b599ad808c3c982fdcdc12b0b8611c2f92824 is able to eliminate this problem. A possible mitigation has been published 4 weeks after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (111165), SecurityFocus (BID 105120†) and CERT Bund (WID-SEC-2025-2868). Similar entries are available at VDB-117624, VDB-119386, VDB-119423 and VDB-121903. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- RESF Rocky Linux
- Open Source Linux Kernel
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.2VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.0
VulDB Temp Score: 4.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.3
NVD Vector: 🔍
CNA Base Score: 5.3
CNA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 111165
Nessus Name: Debian DLA-1423-1 : linux-4.9 new package (Spectre)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: a45b599ad808c3c982fdcdc12b0b8611c2f92824
Timeline
06/08/2018 🔍06/08/2018 🔍
06/26/2018 🔍
06/26/2018 🔍
06/27/2018 🔍
07/18/2018 🔍
07/20/2018 🔍
08/15/2018 🔍
02/21/2026 🔍
Sources
Vendor: kernel.orgAdvisory: RHSA-2018:2948
Status: Confirmed
Confirmation: 🔍
Disputed: 🔍
CVE: CVE-2018-1000204 (🔍)
GCVE (CVE): GCVE-0-2018-1000204
GCVE (VulDB): GCVE-100-119915
SecurityFocus: 105120 - Linux Kernel 'arch/x86/kernel/paravirt.c' Local Security Bypass Vulnerability
CERT Bund: WID-SEC-2025-2868 - Linux Kernel: Mehrere Schwachstellen
See also: 🔍
Entry
Created: 06/27/2018 08:26Updated: 02/21/2026 03:22
Changes: 06/27/2018 08:26 (78), 02/22/2020 08:55 (5), 03/28/2023 19:53 (4), 03/28/2023 20:00 (1), 08/05/2024 15:46 (29), 01/14/2026 01:43 (10), 01/19/2026 13:19 (2), 02/02/2026 12:46 (1), 02/16/2026 10:48 (1), 02/21/2026 03:22 (1)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.