CVE-2018-14634 IBM QRadar · QRadar

Detect Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634) in IBM QRadar

CVE-2018-14634 is an integer overflow vulnerability in the Linux kernel's create_elf_tables() function, triggered during process execution via the execve syscall. A local unprivileged attacker can exploit this flaw to achieve privilege escalation to root by crafting a binary with an extremely large argument list. This vulnerability exists in Linux kernel versions 2.6.x through 4.14.x and is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
       sourceip, username, "Process Name", "Command",
       QIDNAME(qid) as EventName
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Audit')
  AND ("syscall" = 'execve' OR "Process Name" IN ('bash','sh','dash','python','python3','perl','ksh','zsh'))
  AND username NOT IN ('root','daemon','nobody','www-data')
  AND sourceip IN
    (SELECT sourceip FROM events
     WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Audit')
       AND ("syscall" IN ('setuid','setreuid','setresuid') AND "euid" = '0')
       AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('minute', -5, NOW())
     GROUP BY sourceip)
GROUP BY sourceip, username, "Process Name", "Command"
HAVING COUNT(*) > 0
LAST 3600 SECONDS
critical severity medium confidence

QRadar AQL query correlating execve syscall activity from non-root users with subsequent setuid-family syscalls resulting in effective root (euid=0) on the same host within a 5-minute window, targeting CVE-2018-14634 exploitation patterns.

Data Sources

Linux OS log sourceAudit log source

Required Tables

events

False Positives & Tuning

  • Legitimate privilege escalation tools like sudo or pkexec
  • System initialization scripts that transition from service accounts to root
  • Security scanning tools that test privilege boundaries
  • Automated patching or update systems performing privileged operations

Other platforms for CVE-2018-14634

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Large Argument execve Invocation

    Expected signal: Auditd logs an execve syscall record with an unusually large a1 or args array. Process creation event logged with high argument count.

  2. Test 2Check for Vulnerable Kernel Version

    Expected signal: Process execution of uname and package manager commands logged via auditd or endpoint telemetry.

  3. Test 3Exploit Binary Drop and Execute Simulation (Lab Only)

    Expected signal: File creation in /tmp, chmod syscall, bash script execution, and id command execution all logged via auditd. File write to /tmp from a non-root user.

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2018-14634 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0004Privilege Escalation

Related Techniques

T1068Exploitation for Privilege EscalationT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections