CVE-2018-14634 CrowdStrike LogScale · LogScale

Detect Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634) in CrowdStrike LogScale

CVE-2018-14634 is an integer overflow vulnerability in the Linux kernel's create_elf_tables() function, triggered during process execution via the execve syscall. A local unprivileged attacker can exploit this flaw to achieve privilege escalation to root by crafting a binary with an extremely large argument list. This vulnerability exists in Linux kernel versions 2.6.x through 4.14.x and is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Privilege Escalation

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
event_simpleName=ProcessRollup2
| where UserName != "root" and UserName != ""
| where FileName in ("bash", "sh", "dash", "ksh", "zsh", "python", "python3", "perl")
| join type=inner (
    event_simpleName=ProcessRollup2
    | where UserIsAdmin=1 and UserName="root"
    | rename TargetProcessId as ChildRootPid, ParentProcessId as ChildParentPid
    | fields TargetProcessId, ChildParentPid, UserName, FileName, ComputerName, timestamp
) on $left.TargetProcessId==$right.ChildParentPid and $left.ComputerName==$right.ComputerName
| where timestamp - timestamp1 <= 300
| where platform_name="Linux"
| stats count by UserName, FileName, ComputerName, CommandLine
| where count > 0
critical severity medium confidence

CrowdStrike Falcon CQL query identifying Linux hosts where a non-root shell process spawned a root-privileged child process within 5 minutes, a behavioral indicator of CVE-2018-14634 local privilege escalation exploitation.

Data Sources

CrowdStrike Falcon Endpoint

Required Tables

ProcessRollup2

False Positives & Tuning

  • Legitimate use of setuid binaries such as passwd or mount by non-root users
  • Sudo-wrapped commands that spawn root processes as a normal workflow
  • Falcon sensor telemetry gaps during high-load kernel exploitation attempts
  • CI/CD agents running as non-root that invoke privileged helper scripts

Other platforms for CVE-2018-14634

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Large Argument execve Invocation

    Expected signal: Auditd logs an execve syscall record with an unusually large a1 or args array. Process creation event logged with high argument count.

  2. Test 2Check for Vulnerable Kernel Version

    Expected signal: Process execution of uname and package manager commands logged via auditd or endpoint telemetry.

  3. Test 3Exploit Binary Drop and Execute Simulation (Lab Only)

    Expected signal: File creation in /tmp, chmod syscall, bash script execution, and id command execution all logged via auditd. File write to /tmp from a non-root user.

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2018-14634 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0004Privilege Escalation

Related Techniques

T1068Exploitation for Privilege EscalationT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections