Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Mutagen Astronomy: Linux kernel create_elf_tables() integer overflow local privilege escalation

IdentifiersCVE-2018-14634CWE-190· Integer Overflow or Wraparound

CVE-2018-14634 is a local privilege escalation vulnerability in the Linux kernel's create_elf_tables() function during execve() processing on affected 64-bit systems. The flaw is an integer overflow in the calculation of the items count used to build ELF process startup tables: argc and envc can each reach MAX_ARG_STRINGS (0x7FFFFFFF), causing the expression (argc + 1) + (envc + 1) + 1 to overflow a signed integer and become negative. This corrupts subsequent stack size and alignment calculations, causing the userland stack pointer to move in the wrong direction and enabling redirection of the stack into attacker-controlled argument and environment string regions. Qualys reported that this corrupted layout can then be abused during execution of a SUID-root or otherwise privileged binary so that unsafe environment variables such as LD_LIBRARY_PATH or LD_PRELOAD are preserved in a privileged context, ultimately allowing execution with root privileges. Reported vulnerable kernel lines include 2.6.x, 3.10.x, and 4.14.x, with exploitability tied to kernels containing commit b6a2fea39318 and lacking the mitigating change da029c11e6b1.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unprivileged local attacker to escalate privileges to root or equivalent elevated privileges on the affected host. In practice this yields full system compromise from a local account, including the ability to execute arbitrary code as root, access or modify protected data, install persistence, disable security controls, and pivot further within the environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting local access for untrusted users, minimizing or removing unnecessary SUID/SGID and other privileged helper binaries, and enforcing least-privilege controls. Additional hardening such as SELinux or AppArmor may reduce post-exploitation options but does not remediate the kernel flaw itself.

Remediation

Patch, then assume compromise.

Apply vendor-provided kernel updates that fix CVE-2018-14634. The content indicates exploitability is associated with kernels that include commit b6a2fea39318 but do not include or backport the mitigating change da029c11e6b1 ("exec: Limit arg stack to at most 75% of _STK_LIM"). Use distribution security updates for the kernel from the relevant vendor (for example, affected Red Hat, CentOS, or Debian releases as applicable) and reboot into the patched kernel after installation.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app
cve-2018-14634MaturityPoCVerified exploit

This repository contains a proof-of-concept (POC) exploit for CVE-2018-14634, a local privilege escalation vulnerability in the Linux kernel affecting versions 2.6.x, 3.10.x, and 4.14.x. The repository consists of a README.md describing the vulnerability and a single C source file (poc-exploit.c) implementing the exploit. The exploit works by crafting a large number of arguments and environment variables, manipulating memory layout, and executing a SUID binary (expected to be present as ./poc-suidbin) to trigger a buffer overflow in the kernel. The code uses temporary files in /tmp for argument vector manipulation. The exploit must be run locally by an attacker with access to the system, and if successful, results in privilege escalation. No network endpoints are involved; the attack vector is purely local. The code is a POC and does not include a weaponized or customizable payload.

luan0apDisclosed Oct 8, 2018clocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
CanonicalUbuntu Linuxapplication
F5Big-Ip Access Policy Managerapplication
F5Big-Ip Advanced Firewall Managerapplication
F5Big-Ip Analyticsapplication
F5Big-Ip Application Acceleration Managerapplication
F5Big-Ip Application Security Managerapplication
F5Big-Ip Domain Name Systemapplication
F5Big-Ip Edge Gatewayapplication
F5Big-Ip Fraud Protection Serviceapplication
F5Big-Ip Global Traffic Managerapplication
F5Big-Ip Link Controllerapplication
F5Big-Ip Local Traffic Managerapplication
F5Big-Ip Policy Enforcement Managerapplication
F5Big-Ip Webacceleratorapplication
F5Big-Iq Centralized Managementapplication
F5Big-Iq Cloud And Orchestrationapplication
F5Enterprise Managerapplication
F5Iworkflowapplication
F5Traffix Signaling Delivery Controllerapplication
LinuxLinux Kerneloperating_system
NetAppActive Iq Performance Analytics Servicesapplication
NetAppSnapprotectapplication
PaloaltonetworksPan-Osoperating_system
Red HatEnterprise Linux Desktopoperating_system
Red HatEnterprise Linux Serveroperating_system
Red HatEnterprise Linux Server Ausoperating_system
Red HatEnterprise Linux Server Eusoperating_system
Red HatEnterprise Linux Server Tusoperating_system
Red HatEnterprise Linux Workstationoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app
the hacker newsNews
Jan 29, 2026
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

A Linux kernel integer overflow in create_elf_tables() that could allow an unprivileged local user to escalate privileges when executing SUID (or otherwise privileged) binaries; referenced due to inclusion in CISA KEV.

Read more
scworldNews
Jan 28, 2026
CISA adds critical Microsoft Office, Linux Kernel, and SmarterMail vulnerabilities to KEV catalog | SC Media

An integer overflow vulnerability in the Linux kernel that can allow privilege escalation.

Read more
security affairsNews
Jan 27, 2026
U.S. CISA adds Microsoft Office, GNU InetUtils, SmarterTools SmarterMail, and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

Linux kernel integer overflow leading to local privilege escalation (unprivileged user to root) via a buffer overflow condition in create_elf_tables().

Read more
cyberthroneNews
Jan 27, 2026
CISA KEV Catalog Update - 5 Vulnerabilities Added - TheCyberThrone

A Linux kernel integer overflow in create_elf_tables() that can allow local privilege escalation to root when a local unprivileged user can execute a SUID/privileged binary.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2018-14634
NVD
nvd.nist.gov/vuln/detail/CVE-2018-14634
MITRE CWE · CWE-190
Integer Overflow or Wraparound
Patch
security.netapp.com/advisory/ntap-20190204-0002
Third Party Advisory
openwall.com/lists/oss-security/2021/07/20/2
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2748
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2763
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2846
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2924
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2925
Third Party Advisory
access.redhat.com/errata/RHSA-2018:2933
Third Party Advisory
access.redhat.com/errata/RHSA-2018:3540
+13 more references
view more in app