{"id":"CVE-2018-11218","details":"Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.","modified":"2026-04-16T06:21:36.571534444Z","published":"2018-06-17T17:29:00.277Z","related":["SUSE-OU-2020:3291-1","openSUSE-SU-2024:11299-1"],"references":[{"type":"ADVISORY","url":"https://github.com/antirez/redis/issues/5017"},{"type":"ADVISORY","url":"https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES"},{"type":"ADVISORY","url":"https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4230"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0052"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0094"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201908-04"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104553"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1860"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"FIX","url":"https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3"},{"type":"FIX","url":"https://github.com/antirez/redis/commit/5ccb6f7a791bf3490357b00a898885759d98bab0"},{"type":"EVIDENCE","url":"http://antirez.com/news/119"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/antirez/redis","events":[{"introduced":"0"},{"fixed":"52a00201fca331217c3b4b8b634f6a0f57d6b7d3"},{"fixed":"5ccb6f7a791bf3490357b00a898885759d98bab0"}]},{"type":"GIT","repo":"https://github.com/redis/redis","events":[{"introduced":"0"},{"fixed":"590f537420e81832c3893418e608cd6ab3cc7c5f"},{"introduced":"05b81d2b02578d432329c87c93f975e582d14c0e"},{"fixed":"556b2d2bee22d1307e696090c9be10fc10a47cd3"},{"introduced":"0"},{"last_affected":"2ee4a1c9806aab459d05e60751e07d86a4bebd78"},{"introduced":"0"},{"last_affected":"05b81d2b02578d432329c87c93f975e582d14c0e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.2.12"},{"introduced":"4.0"},{"fixed":"4.0.10"},{"introduced":"0"},{"last_affected":"5.0-rc1"},{"introduced":"0"},{"last_affected":"4.0"}]}}],"versions":["1.3.6","2.2-alpha0","2.2-alpha1","2.2-alpha2","2.2-alpha3","2.2-alpha4","2.2-alpha5","2.2-alpha6","2.2.0-rc1","2.3-alpha0","3.2-rc1","3.2.0","3.2.0-rc2","3.2.0-rc3","3.2.1","3.2.10","3.2.11","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","5.0-rc1","v1.3.10","v1.3.11","v1.3.7","v1.3.8","v1.3.9","v2.0.0-rc1","v2.1.1-watch","vm-playpen"],"database_specific":{"vanir_signatures_modified":"2026-04-11T06:58:37Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"10"}]},{"events":[{"introduced":"0"},{"last_affected":"13"}]}],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2018-11218-700a840d","target":{"file":"deps/lua/src/lua_cmsgpack.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["16911033430593959714276436254180720746","118647126258626533724160258916734123784","266997613451356111695635551196073534977"]},"source":"https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3"},{"deprecated":false,"signature_version":"v1","id":"CVE-2018-11218-d30d5814","target":{"file":"deps/lua/src/lua_cmsgpack.c","function":"mp_pack"},"signature_type":"Function","digest":{"function_hash":"311114601621233800883377513176254974414","length":471},"source":"https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11218.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}