CVE-2018-13458
Description
Nagios Core 4.4.1 and earlier suffers from a NULL pointer dereference in qh_core, enabling local denial of service via crafted UNIX socket payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nagios Core 4.4.1 and earlier suffers from a NULL pointer dereference in qh_core, enabling local denial of service via crafted UNIX socket payloads.
Vulnerability
The vulnerability resides in the qh_core function within base/query-handler.c (line 408) of Nagios Core version 4.4.1 and earlier. It is a NULL pointer dereference that occurs when processing specially crafted input received on the local UNIX socket (nagios.qh). No special configuration beyond the default setup is required, as the query handler socket is enabled by default.
Exploitation
An attacker with local access to the Nagios instance can exploit this vulnerability without any authentication. The exploit involves sending a crafted payload — for example, #core\0 or @core\0 — to the listening UNIX socket using a tool like socat. The payload triggers a NULL pointer dereference in qh_core, which results in a denial-of-service condition [1].
Impact
Successful exploitation causes a local denial of service (DoS) by crashing the Nagios Core process. This results in loss of monitoring capabilities until the service is restarted. The impact is limited to availability; there is no indication of data disclosure or remote code execution from the references.
Mitigation
Nagios Core 4.4.2 (released July 10, 2018) addresses this vulnerability. Users are strongly advised to upgrade to this version or later. If upgrading is not immediately possible, restricting access to the UNIX socket via file permissions or disabling the query handler (if not needed) can reduce exposure. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <4.4.1
- osv-coords2 versionspkg:rpm/opensuse/nagios&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/nagios&distro=SUSE%20Package%20Hub%2015%20SP1
< 4.4.5-lp151.5.4.1+ 1 more
- (no CPE)range: < 4.4.5-lp151.5.4.1
- (no CPE)range: < 4.4.5-bp151.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL pointer check in `qh_core` allows crafted input to dereference a NULL pointer."
Attack vector
An attacker with local access to the Nagios UNIX socket (typically a file such as `nagios.qh`) sends a crafted payload — specifically the strings `#core\0` or `@core\0` — to trigger a NULL pointer dereference in the `qh_core` function [ref_id=1]. The attacker does not need authentication or special privileges beyond the ability to connect to the listening UNIX socket. The resulting denial-of-service condition crashes the Nagios Core process.
Affected code
The vulnerability resides in `qh_core` within `base/query-handler.c` at line 408, called from `qh_input` at line 227. The crash backtrace shows the NULL pointer dereference occurs in `qh_core` when processing specially crafted input received via the Nagios UNIX socket [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix; it only documents that versions 4.4.1 and earlier are affected by a NULL pointer dereference in `qh_core` [ref_id=1]. To remediate, users should apply any vendor-supplied update that adds a NULL check before dereferencing the pointer in `qh_core` at line 408 of `query-handler.c`.
Preconditions
- networkAttacker must have local access to the Nagios UNIX socket file (e.g., nagios.qh)
- authNo authentication required beyond ability to connect to the socket
Reproduction
1. Ensure Nagios Core 4.4.1 (or earlier) is running and the UNIX socket (e.g., `nagios.qh`) is accessible. 2. Run the following commands to send crafted payloads: `echo -ne "#core\0" | socat unix-connect:./poc/nagios.qh -` `echo -ne "@core\0" | socat unix-connect:./poc/nagios.qh -` 3. Observe that Nagios Core crashes due to a NULL pointer dereference in `qh_core` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.exploit-db.com/exploits/45082/mitreexploitx_refsource_EXPLOIT-DB
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00014.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00022.htmlmitrevendor-advisoryx_refsource_SUSE
- gist.github.com/fakhrizulkifli/40f3daf52950cca6de28ebec2498ff6emitrex_refsource_MISC
- knowledge.opsview.com/v5.3/docs/whats-newmitrex_refsource_CONFIRM
- knowledge.opsview.com/v5.4/docs/whats-newmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.