CVE-2018-1125 - Vulnerability Details

procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00364.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Opensuse	Leap
Procps-ng Project	Procps-ng

Configuration 1 [-]

cpe:2.3:a:procps-ng_project:procps-ng:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 4 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00058.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00059.html
http://seclists.org/oss-sec/2018/q2/122
http://www.securityfocus.com/bid/104214
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1125
https://lists.debian.org/debian-lts-announce/2018/05/msg00021.html
https://nvd.nist.gov/vuln/detail/CVE-2018-1125
https://usn.ubuntu.com/3658-1/
https://usn.ubuntu.com/3658-3/
https://www.cve.org/CVERecord?id=CVE-2018-1125
https://www.debian.org/security/2018/dsa-4208
https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

History

Wed, 17 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-05-23T14:00:00.000Z

Updated: 2025-12-17T22:09:11.636Z

Reserved: 2017-12-04T00:00:00.000Z

Link: CVE-2018-1125

Vulnrichment

Updated: 2024-08-05T03:51:48.542Z

NVD

Status : Modified

Published: 2018-05-23T14:29:00.343

Modified: 2025-12-17T22:15:54.927

Link: CVE-2018-1125

Redhat

Severity : Low

Publid Date: 2018-05-17T17:00:00Z

Links: CVE-2018-1125 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object