CVE-2018-18955

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

Predictions

Exploit likelihood

90%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-45886 local linux verified

Google Security Research · 2018-11-16

Linux - Broken uid/gid Mapping for Nested User Namespaces

Source code queued for fetch — refresh in a moment.

EDB-45915 local linux verified

Metasploit · 2018-11-29

Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-47164 local linux

bcoles · 2018-11-21

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)

Source code queued for fetch — refresh in a moment.

EDB-47165 local linux

bcoles · 2019-01-04

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)

Source code queued for fetch — refresh in a moment.

EDB-47166 local linux

bcoles · 2018-11-21

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)

Source code queued for fetch — refresh in a moment.

EDB-47167 local linux

bcoles · 2019-01-04

Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_linux/local/nested_namespace_idmap_limit_priv_esc rank 500

Linux Nested User Namespace idmap Limit Local Privilege Escalation

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`4.18.20-1`
sid	Fixed	`4.18.20-1`
forky	Fixed	`4.18.20-1`
bullseye	Fixed	`4.18.20-1`
bookworm	Fixed	`4.18.20-1`

References

https://security-tracker.debian.org/tracker/CVE-2018-18955

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.