DEBIAN-CVE-2018-14633

Advisory lineage Upstream: 1 Downstream: 3

Upstream

CVE-2018-14633

Downstream

DLA-1529-1 DLA-1531-1 DSA-4308-1

Published: 25 Sept 2018, 00:29

Last modified:28 Apr 2026, 20:18

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Sept 2018, 00:29

Published

Vulnerability first disclosed

28 Apr 2026, 20:18

Last Modified

Vulnerability information updated

Description

A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.

CVSS Metrics

v3.1•HIGH•Score: 7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected Systems

debian•linux
< 4.18.10-1 | < 4.18.10-1 | < 4.18.10-1 | < 4.18.10-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2018-14633