CVE-2018-14634

Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634)

Privilege Escalation Last updated:

CVE-2018-14634 is an integer overflow vulnerability in the Linux kernel's create_elf_tables() function, triggered during process execution via the execve syscall. A local unprivileged attacker can exploit this flaw to achieve privilege escalation to root by crafting a binary with an extremely large argument list. This vulnerability exists in Linux kernel versions 2.6.x through 4.14.x and is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Linux
Product
Kernel

Weakness (CWE)

CWE-190

Timeline

Disclosed
January 26, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2018-14634 Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634)?

Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634) (CVE-2018-14634) maps to the Privilege Escalation tactic — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634), covering the data sources and telemetry it touches: SecurityEvent, Syslog, AuditLogs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation
Microsoft Sentinel / Defender
kusto 
SecurityEvent
| where EventID == 4688
| where ProcessName endswith "bash" or ProcessName endswith "sh" or ProcessName endswith "python" or ProcessName endswith "perl"
| where CommandLine matches regex @"(?i)(execve|/proc/self/exe)"
| join kind=inner (
    SecurityEvent
    | where EventID == 4672
    | where PrivilegeList has "SeDebugPrivilege" or PrivilegeList has "SeTcbPrivilege"
    | project TimeGenerated, SubjectLogonId, PrivilegeList
) on $left.SubjectLogonId == $right.SubjectLogonId
| where TimeGenerated - TimeGenerated1 between (0min .. 5min)
| project TimeGenerated, Computer, Account, ProcessName, CommandLine, PrivilegeList
| where Account !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")

Detects potential exploitation of CVE-2018-14634 by correlating execve-related process creation events with subsequent privilege escalation events on Linux hosts forwarding to Sentinel. Looks for non-privileged accounts gaining elevated privileges shortly after executing shell-like processes.

critical severity medium confidence

Data Sources

SecurityEvent Syslog AuditLogs

Required Tables

SecurityEvent

False Positives

  • Legitimate administrative privilege escalation via sudo or authorized tools
  • Security tooling that exercises privilege transitions during testing
  • Container orchestration systems that legitimately spawn root processes
  • Package manager updates or system services performing privileged operations

Sigma rule & cross-platform mapping

The detection logic for Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634) (CVE-2018-14634) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2018-14634 Sigma rules on detection.fyi

Platform-specific guides for CVE-2018-14634

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Large Argument execve Invocation

    Expected signal: Auditd logs an execve syscall record with an unusually large a1 or args array. Process creation event logged with high argument count.

  2. Test 2Check for Vulnerable Kernel Version

    Expected signal: Process execution of uname and package manager commands logged via auditd or endpoint telemetry.

  3. Test 3Exploit Binary Drop and Execute Simulation (Lab Only)

    Expected signal: File creation in /tmp, chmod syscall, bash script execution, and id command execution all logged via auditd. File write to /tmp from a non-root user.

Unlock Pro Content

Get the full detection package for CVE-2018-14634 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0004Privilege Escalation

Related Techniques

T1068Exploitation for Privilege EscalationT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections