ASA-2018-00091 – Linux kernel: Use-after-free in svc_process_common()

Allele Security Alert



ASA-2018-00091, CVE-2018-16884


Use-after-free in svc_process_common()


Linux foundation


Linux kernel

Affected version(s)

Linux kernel versions before 4.20.3
Linux kernel versions before 4.14.94
Linux kernel versions before 4.9.151
Linux kernel versions before 4.4.171
Linux kernel versions before 3.18.133
Linux kernel versions before 3.16.64

Fixed version(s)

Linux kernel version 4.20.3
Linux kernel version 4.14.94
Linux kernel version 4.9.151
Linux kernel version 4.4.171
Linux kernel version 3.18.133
Linux kernel version 3.16.64

Proof of concept



A flaw was found in the Linux kernel in the NFS4 subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause an use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Technical details

If node have NFSv41+ mounts inside several net namespaces, it can lead to use-after-free in svc_process_common().

/* Setup reply header */
rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE

svc_process_common() can use already freed rqstp->rq_xprt, it was assigned in bc_svc_process() where it was taken from serv->sv_bc_xprt.

serv is global structure but sv_bc_xprt is assigned per-netnamespace, so if nfsv41+ shares are mounted in several containers together bc_svc_process() can use wrong backchannel or even access freed memory.


Vasily Averin (Virtuozzo) and Evgenii Shatokhin (Virtuozzo)


CVE-2018-16884: Linux kernel: nfs: use-after-free in svc_process_common()

sunrpc: use-after-free in svc_process_common()

NFS: callback up – users counting cleanup

Linux kernel 4.20.3

Linux kernel 4.14.94

Linux kernel 4.9.151

Linux kernel 4.4.171

Linux kernel 3.18.133

Linux kernel 3.16.64

CVE-2018-16884 - Red Hat Customer Portal

CVE-2018-16884 in Ubuntu


CVE-2018-16884 | SUSE



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.