VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 12, 2018· Updated Aug 5, 2024

CVE-2018-13441

CVE-2018-13441

Description

Nagios Core 4.4.1 and earlier has a NULL pointer dereference in qh_help, allowing local DoS via crafted payload to UNIX socket.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nagios Core 4.4.1 and earlier has a NULL pointer dereference in qh_help, allowing local DoS via crafted payload to UNIX socket.

Vulnerability

Nagios Core versions 4.4.1 and earlier contain a NULL pointer dereference vulnerability in the qh_help function within base/query-handler.c. This occurs when processing specially crafted #help or @help commands, leading to a crash [1].

Exploitation

An attacker with local access can send a crafted payload, such as #help\0 or @help\0, to the Nagios UNIX socket (e.g., /var/nagios/qh) using tools like socat. This triggers the vulnerable code path [1].

Impact

Successful exploitation causes a denial-of-service condition by crashing the Nagios Core process due to a NULL pointer dereference [1].

Mitigation

No official fix has been released for this vulnerability as of the publication date. As a workaround, restrict access to the Nagios UNIX socket to trusted users only [1].

References
  1. CVE-2018-13441

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL-pointer check in `qh_help` when processing crafted query-handler input causes a NULL pointer dereference."

Attack vector

An attacker with local access to the Nagios UNIX socket can send a crafted payload — either `#help\0` or `@help\0` — to trigger a NULL pointer dereference in `qh_help` [ref_id=1]. The payload is sent via `socat` or any tool that can write to the listening UNIX socket (e.g., `socat unix-connect:./nagios.qh -`) [ref_id=1]. This causes the Nagios Core process to crash, resulting in a local denial-of-service condition [ref_id=1].

Affected code

The vulnerability is in the `qh_help` function in `base/query-handler.c` at line 374 [ref_id=1]. It is called from `qh_input` (line 227) within the same file, which is invoked by the `iobroker_poll` loop in `lib/iobroker.c` [ref_id=1].

What the fix does

The advisory does not include a patch or remediation guidance beyond the disclosure of the vulnerability [ref_id=1]. No fix is published in the reference material; users are advised to monitor the vendor for an update or apply input validation on the query-handler input to prevent a NULL pointer dereference in `qh_help`.

Preconditions

  • networkAttacker must have local access to the Nagios UNIX socket file (e.g., nagios.qh)
  • configThe Nagios Core process must be running and listening on the UNIX socket

Reproduction

1. Ensure Nagios Core 4.4.1 or earlier is running and the UNIX socket (e.g., `nagios.qh`) is accessible. 2. Run one of the following commands: `echo -ne "#help\0" | socat unix-connect:./nagios.qh -` `echo -ne "@help\0" | socat unix-connect:./nagios.qh -` 3. The Nagios process will crash due to a NULL pointer dereference in `qh_help` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.