ASA-2018-00014 – Linux kernel: TLB flush happens too late on mremap()

Allele Security Alert



ASA-2018-00014, CVE-2018-18281


TLB flush happens too late on mremap()


Linux foundation


Linux kernel

Affected version(s)

Linux kernel versions before 4.19

Linux kernel versions before 4.9.135
Linux kernel versions before 4.14.78
Linux kernel versions before 4.18.16
Linux kernel versions before 4.4.163
Linux kernel versions before 3.18.125
Linux kernel versions before 3.16.62

Fixed version(s)

Linux kernel version 4.19

Linux kernel version 4.9.135
Linux kernel version 4.14.78
Linux kernel version 4.18.16
Linux kernel version 4.4.163
Linux kernel version 3.18.125
Linux kernel version 3.16.62

Proof of concept



Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.

Technical details



Jann Horn (Google Project Zero)


Linux: mremap() TLB flush too late with concurrent ftruncate()

Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)

mremap: properly flush TLB before releasing the page

mremap: properly flush TLB before releasing the page

TLB 缓存延迟刷新漏洞解析 – PDS

android_vuln_poc-exp/EXP-CVE-2018-18281 at master · jiayy/android_vuln_poc-exp

Linux kernel 4.19

Linux kernel 4.18.16

Linux kernel 4.14.78

Linux kernel 4.9.135

Linux kernel 4.4.163

Linux kernel 3.18.125

Linux kernel 3.16.62

CVE-2018-18281 - Red Hat Customer Portal

CVE-2018-18281 in Ubuntu


CVE-2018-18281 | SUSE



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.