A new Linux kernel vulnerability identified as CVE-2018-14619 has been discovered by Red Hat Engineering researchers Florian Weimer and Ondrej Mosnacek. More particularly, the flaw was found in the crypto subsystem of the Linux kernel.
CVE-2018-14619 Technical Details
The flaw could grant a local user the right to crash the machine and to cause corrupt memory leading to privilege escalation.
The “null skcipher” was being dropped in the wrong place – when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use, the researchers explained.
The CVE-2018-14619 vulnerability is located in Linux Kernel up to 4.15-rc3 and it’s been classified as critical. A function of the component Crypto Subsystem has been affected, and as a result of it, a memory corruption vulnerability appears. The result of an exploit could lead to an impact on confidentiality, intergrity, and availability, researchers say.
It appears that the vulnerability was shared on 08/30/2018 in the form of a bug report on Bugzilla bugzilla.redhat.com. It should be noted that for CVE-2018-14619 to be triggered, local access is required, with a single authentication needed for exploitation. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment, Bugzilla researchers reported.
To mitigate the CVE-2018-14619 vulnerability, upgrading to version 4.15-rc4 is needed. Once the update in applied, the vulnerability is eliminated.