ASA-2018-00070 – Linux kernel: userfaultfd bypasses tmpfs file permission

Allele Security Alert



ASA-2018-00070, CVE-2018-18397


userfaultfd bypasses tmpfs file permission


Linux foundation


Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions before 4.14.87
Linux kernel versions before 4.19.7
Linux kernel versions before 4.19.11
Linux kernel versions before 4.14.90

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.14.87
Linux kernel version 4.19.7
Linux kernel version 4.19.11
Linux kernel version 4.14.90

Proof of concept



In Linux kernel versions since 4.11, userfaultfd can be used to write arbitrary data into holes in sparse tmpfs files to which an attacker has read-only access.

Technical details

Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files.

Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file’s mapping. This API also works on readonly shared mappings.

This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.


Jann Horn (Google Project Zero)


Linux: userfaultfd bypasses tmpfs file permissions

Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas

Linux 4.14.87

Linux 4.19.7

Linux 4.19.11

Linux 4.14.90

Linux 4.20

CVE-2018-18397 - Red Hat Customer Portal

CVE-2018-18397 in Ubuntu


CVE-2018-18397 | SUSE



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.