CVE-2018-8897

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2018-8897
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2018-05-08 18:29:00 UTC
Updated2019-10-03 00:03:00 UTC
DescriptionA statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Risk And Classification

Problem Types: CWE-362

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Apple Mac Os X All All All All
Operating System Apple Mac Os X All All All All
Operating System Canonical Ubuntu Linux 14.04 All All All
Operating System Canonical Ubuntu Linux 16.04 All All All
Operating System Canonical Ubuntu Linux 17.10 All All All
Operating System Canonical Ubuntu Linux 14.04 All All All
Operating System Canonical Ubuntu Linux 16.04 All All All
Operating System Canonical Ubuntu Linux 17.10 All All All
Application Citrix Xenserver 6.0.2 All All All
Application Citrix Xenserver 6.2.0 All All All
Application Citrix Xenserver 6.5 All All All
Application Citrix Xenserver 7.0 All All All
Application Citrix Xenserver 7.1 All All All
Application Citrix Xenserver 7.2 All All All
Application Citrix Xenserver 7.3 All All All
Application Citrix Xenserver 7.4 All All All
Application Citrix Xenserver 6.0.2 All All All
Application Citrix Xenserver 6.2.0 All All All
Application Citrix Xenserver 6.5 All All All
Application Citrix Xenserver 7.0 All All All
Application Citrix Xenserver 7.1 All All All
Application Citrix Xenserver 7.2 All All All
Application Citrix Xenserver 7.3 All All All
Application Citrix Xenserver 7.4 All All All
Operating System Debian Debian Linux 7.0 All All All
Operating System Debian Debian Linux 8.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Debian Debian Linux 7.0 All All All
Operating System Debian Debian Linux 8.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Freebsd Freebsd All All All All
Operating System Freebsd Freebsd All All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Workstation 7.0 All All All
Operating System Redhat Enterprise Linux Workstation 7.0 All All All
Operating System Redhat Enterprise Virtualization Manager 3.0 All All All
Operating System Redhat Enterprise Virtualization Manager 3.0 All All All
Operating System Synology Diskstation Manager 5.2 All All All
Operating System Synology Diskstation Manager 6.0 All All All
Operating System Synology Diskstation Manager 6.1 All All All
Operating System Synology Diskstation Manager 5.2 All All All
Operating System Synology Diskstation Manager 6.0 All All All
Operating System Synology Diskstation Manager 6.1 All All All
Application Synology Skynas - All All All
Application Synology Skynas - All All All
Operating System Xen Xen - All All All
Operating System Xen Xen - All All All

References

ReferenceSourceLinkTags
x86/entry/64: Don't use IST entry for #BP stack · torvalds/linux@d8ba61b · GitHub MISC github.com Patch, Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
kernel/git/torvalds/linux.git - Linux kernel source tree MISC git.kernel.org Patch, Third Party Advisory
CVE-2018-8897 x86 Debug Exception Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Apple macOS/OS X LinkPresentation, Crash Reporter, and Kernel Bugs Let Remote Users Spoof the User Interface and Local Users Gain Elevated Privileges - SecurityTracker SECTRACK www.securitytracker.com Third Party Advisory, VDB Entry
Huawei - Building a Fully Connected, Intelligent World CONFIRM www.huawei.com
FreeBSD Kernel Debug Exception Handling Flaw Lets Local Users Gain Elevated Privileges - SecurityTracker SECTRACK www.securitytracker.com Third Party Advisory, VDB Entry
Spurious #DB exceptions with the "MOV SS" and "POP SS" instructions (CVE-2018-8897) MISC www.triplefault.io Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
[SECURITY] [DLA 1577-1] xen security update MLIST lists.debian.org
Debian -- Security Information -- DSA-4201-1 xen DEBIAN www.debian.org Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Citrix XenServer Multiple Security Updates CONFIRM support.citrix.com Third Party Advisory
Debian -- Security Information -- DSA-4196-1 linux DEBIAN www.debian.org Third Party Advisory
DCIM Support CONFIRM help.ecostruxureit.com
Microsoft Windows - 'POP/MOV SS' Privilege Escalation - Windows local Exploit EXPLOIT-DB www.exploit-db.com Exploit, Third Party Advisory, VDB Entry
CERT Vulnerability Notes Database CERT-VN www.kb.cert.org
[SECURITY] [DLA 1392-1] linux security update MLIST lists.debian.org Third Party Advisory
XSA-260 - Xen Security Advisories MISC xenbits.xen.org Patch, Third Party Advisory
Xen Debug Exception Handling Flaw Lets Local Users on a PV Guest System Gain Elevated Privileges on the Host System - SecurityTracker SECTRACK www.securitytracker.com Third Party Advisory, VDB Entry
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc MISC www.freebsd.org Third Party Advisory
oss-security - CVE-2018-8897: #DB exceptions that are deferred by MOV SS or POP SS may cause unexpected behavior MISC openwall.com Mailing List, Third Party Advisory
[SECURITY] [DLA 1383-1] xen security update MLIST lists.debian.org Third Party Advisory
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897 CONFIRM portal.msrc.microsoft.com Patch, Third Party Advisory, Vendor Advisory
Synology Inc. CONFIRM www.synology.com Third Party Advisory
1567074 – (CVE-2018-8897) CVE-2018-8897 Kernel: error in exception handling leads to DoS MISC bugzilla.redhat.com Issue Tracking, Third Party Advisory
Microsoft Windows Kernel CVE-2018-8897 Local Privilege Escalation Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
selftests/x86: Add mov_to_ss - Patchwork MISC patchwork.kernel.org Patch, Third Party Advisory
oss-security - Xen Security Advisory 260 (CVE-2018-8897) - x86: mishandling of debug exceptions MISC openwall.com Mailing List, Third Party Advisory
Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit) - Windows local Exploit EXPLOIT-DB www.exploit-db.com
GitHub - can1357/CVE-2018-8897: Arbitrary code execution with kernel privileges using CVE-2018-8897. MISC github.com Exploit, Third Party Advisory
Windows Kernel Multiple Flaws Let Local Users Bypass Security Restictions, Obtain Potentially Sensitive Information, and Gain Elevated Privileges on the Target System - SecurityTracker SECTRACK www.securitytracker.com Third Party Advisory, VDB Entry
Linux Kernel Debug Exception Handling Flaw Lets Local Users Cause Denial of Service Conditions on the Target System - SecurityTracker SECTRACK www.securitytracker.com Third Party Advisory, VDB Entry
USN-3641-2: Linux kernel vulnerabilities | Ubuntu security notices UBUNTU usn.ubuntu.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
[base] Revision 333368 MISC svnweb.freebsd.org Third Party Advisory
About the security content of Security Update 2018-001 - Apple Support MISC support.apple.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
USN-3641-1: Linux kernel vulnerabilities | Ubuntu security notices UBUNTU usn.ubuntu.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 500749 Alpine Linux Security Update for xen
  • 504526 Alpine Linux Security Update for xen
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report