CVE-2018-8897: Race Condition

Published Apr 13, 2018
·
Updated

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed.

An unprivileged system user could use this flaw to crash the system kernel resulting in DoS.

Upstream patch: --------------- -> https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9

Reference: ---------- -> http://www.openwall.com/lists/oss-security/2018/05/08/4

Other sources

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Kernel. In some circumstances, some operating systems may not expect or properly handle an Intel architecture debug exception after certain instructions. The issue appears to be from an undocumented side effect of the instructions. An attacker might utilize this exception handling to gain access to Ring 0 and access sensitive memory or control operating system processes.

Credit

Andy Lutomirski, Nick Peterson (linkedin.com/in/everdox)(Everdox Tech LLC)

Affected Software

47 affected componentsFixes available
redhat/kernel<0:2.6.18-348.39.2.el5
0:2.6.18-348.39.2.el5
redhat/kernel<0:2.6.18-431.el5
0:2.6.18-431.el5
redhat/kernel<0:2.6.32-696.28.1.el6
0:2.6.32-696.28.1.el6
redhat/kernel<0:2.6.32-358.88.2.el6
0:2.6.32-358.88.2.el6
redhat/kernel<0:2.6.32-431.89.2.el6
0:2.6.32-431.89.2.el6
redhat/kernel<0:2.6.32-504.68.2.el6
0:2.6.32-504.68.2.el6
redhat/kernel<0:2.6.32-573.55.2.el6
0:2.6.32-573.55.2.el6
redhat/kernel-rt<0:3.10.0-862.2.3.rt56.806.el7
0:3.10.0-862.2.3.rt56.806.el7
redhat/kernel<0:3.10.0-862.2.3.el7
0:3.10.0-862.2.3.el7
redhat/kernel<0:3.10.0-327.66.3.el7
0:3.10.0-327.66.3.el7
redhat/kernel<0:3.10.0-514.48.3.el7
0:3.10.0-514.48.3.el7
redhat/kernel<0:3.10.0-693.25.4.el7
0:3.10.0-693.25.4.el7
redhat/kernel-rt<1:3.10.0-693.25.4.rt56.613.el6
1:3.10.0-693.25.4.rt56.613.el6
redhat/imgbased<0:1.0.16-0.1.el7e
0:1.0.16-0.1.el7e
redhat/ovirt-node-ng<0:4.2.0-0.20170814.0.el7
0:4.2.0-0.20170814.0.el7
redhat/redhat-release-virtualization-host<0:4.2-3.0.el7
0:4.2-3.0.el7
redhat/rhev-hypervisor7<0:7.3-20180521.1.el6e
0:7.3-20180521.1.el6e
redhat/rhev-hypervisor7<0:7.3-20180521.1.el7e
0:7.3-20180521.1.el7e
Apple macOS High Sierra<10.13.5
10.13.5
Apple Sierra
Apple El Capitan
Debian Debian Linux=7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=17.10
redhat Enterprise Linux Server=7.0
redhat Enterprise Linux Workstation=7.0
redhat Enterprise Virtualization Manager=3.0
Citrix XenServer=6.0.2
Citrix XenServer=6.2.0
Citrix XenServer=6.5
Citrix XenServer=7.0
Citrix XenServer=7.1
Citrix XenServer=7.2
Citrix XenServer=7.3
Citrix XenServer=7.4
Synology Skynas
Synology Diskstation Manager=5.2
Synology Diskstation Manager=6.0
Synology Diskstation Manager=6.1
Apple iOS and macOS<10.13.4
XEN Xen
FreeBSD FreeBSD>=11.0<11.1
debian/linux
5.10.223-15.10.249-16.1.159-16.1.162-16.12.63-16.12.73-16.18.12-1
debian/xen
4.14.6-14.14.5+94-ge49571868d-14.17.5+72-g01140da4e8-14.20.2+7-g1badcf5035-0+deb13u14.20.2+7-g1badcf5035-24.20.2+37-g61ff35323e-1

Remediation

Patch Available

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9

Patch Available

https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9

Patch Available

https://patchwork.kernel.org/patch/10386677/

Patch Available

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897

Patch Available

https://xenbits.xen.org/xsa/advisory-260.html

Event History

Apr 13, 2018
Data Sourced
via Red Hat·11:51 AM
DescriptionSeverityAffected Software
May 8, 2018
CVE Published
12:00 AM
CVE Published
via MITRE·06:00 PM
Data Sourced
via MITRE·06:00 PM
Description
Data Sourced
via NVD·06:29 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 20, 2026
Data Sourced
via Ubuntu·03:21 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·03:21 PM
Description
Feb 23, 2026
Data Sourced
via Debian·03:25 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2018-8897?

CVE-2018-8897 has a medium severity rating, indicating a moderate level of risk associated with exploitation.

2

How do I fix CVE-2018-8897?

To fix CVE-2018-8897, ensure that your Linux kernel is updated to the appropriate patched version as specified by the vendor.

3

What systems are affected by CVE-2018-8897?

CVE-2018-8897 affects various versions of the Linux kernel across distributions like Red Hat and Debian.

4

Is CVE-2018-8897 exploitable remotely?

CVE-2018-8897 is considered non-remotely exploitable; it requires local access to the system for exploitation.

5

What is the nature of the flaw in CVE-2018-8897?

CVE-2018-8897 is related to improper exception handling during stack switch operations in the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203