According to Ubuntu Security page, the linux project in Bionic and Focal has a status of "Needed". I'm assuming this project refers to linux-generic in the APT repository, so linux should be 4.15 in Bionic and 5.4 in Focal. I also made a brief test on Ubuntu Focal with linux-image-5.4.0-100-generic (amd64) and failed to exploit. Thus I assume Bionic on 4.15 is also unaffected.
So why is it still shown as "Needed" for Bionic and Focal?
4
1 Answer
Thank you to the Ubuntu Security Team for providing clarity on this, which in turn gave me the information I needed to answer you.
In this case, "Needed" means that it's not patched yet in Bionic or Focal kernels. According to Marc Deslauriers via #ubuntu-security on IRC:
the flaw exists in bionic and focal, but it's not exploitable
(yet)we will patch bionic and focal during the next round of kernel updates
just in case someone discovers another way to exploit the flaw
So while Bionic and Focal are 'affected' by the CVE, this is not yet exploitable, and will be patched in the next round of kernel updates on Bionic and Focal, just in case someone finds another way to exploit the flaw in those kernels.