{"id":"CVE-2018-13405","details":"The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.","modified":"2026-04-02T00:38:10.163050Z","published":"2018-07-06T14:29:01.223Z","related":["ALSA-2022:0886","ALSA-2022:1988","MGASA-2018-0324","MGASA-2018-0340","MGASA-2018-0341","SUSE-SU-2018:2051-1","SUSE-SU-2018:2092-1","SUSE-SU-2018:2150-1","SUSE-SU-2018:2222-1","SUSE-SU-2018:2344-1","SUSE-SU-2018:2344-2","SUSE-SU-2018:2362-1","SUSE-SU-2018:2384-1","SUSE-SU-2021:3723-1","SUSE-SU-2021:3748-1","SUSE-SU-2021:3876-1","SUSE-SU-2021:3929-1","SUSE-SU-2021:3935-1","SUSE-SU-2021:3972-1","openSUSE-SU-2021:1477-1","openSUSE-SU-2021:3876-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRBNBX73SAFKQWBOX76SLMWPTKJPVGEJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKKIAUMR5FAYLZ7HLEPOXMKAAE3BYBQ/"},{"type":"WEB","url":"http://www.securityfocus.com/bid/106503"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3096"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4164"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html"},{"type":"ADVISORY","url":"https://support.f5.com/csp/article/K00854051"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3753-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4266"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2730"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3752-2/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3752-3/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3754-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2948"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2566"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2696"},{"type":"ADVISORY","url":"https://twitter.com/grsecurity/status/1015082951204327425"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3752-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3083"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0717"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2476"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4159"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3753-1/"},{"type":"FIX","url":"http://openwall.com/lists/oss-security/2018/07/13/2"},{"type":"FIX","url":"http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7"},{"type":"FIX","url":"https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7"},{"type":"FIX","url":"https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=0b3369840cd61c23e2b9241093737b4c395cb406"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45033/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git","events":[{"introduced":"0"},{"fixed":"0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7"}]},{"type":"GIT","repo":"https://github.com/torvalds/linux","events":[{"introduced":"0"},{"last_affected":"19583ca584d6f574384e17fe7613dfaeadcdc4a6"},{"introduced":"0"},{"last_affected":"39a8804455fb23f09157341d3ba7db6d7ae6ee76"},{"introduced":"0"},{"last_affected":"4fe89d07dcc2804c8b562f6c7896a45643d34b2f"},{"introduced":"0"},{"last_affected":"4fe89d07dcc2804c8b562f6c7896a45643d34b2f"},{"introduced":"0"},{"last_affected":"ffc253263a1375a65fa6c9f62a893e9767fbebfa"},{"introduced":"0"},{"last_affected":"4fe89d07dcc2804c8b562f6c7896a45643d34b2f"},{"fixed":"0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.16"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"6.6"},{"introduced":"0"},{"last_affected":"6.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-13405.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]},{"events":[{"introduced":"13.0.0"},{"fixed":"13.1.3.5"}]},{"events":[{"introduced":"14.0.0"},{"fixed":"14.1.3.1"}]},{"events":[{"introduced":"15.0.0"},{"fixed":"15.0.1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}