CVE-2018-12037

medium

Description

An issue was discovered on Samsung 840 EVO and 850 EVO devices (only in "ATA high" mode, not vulnerable in "TCG" or "ATA max" mode), Samsung T3 and T5 portable drives, and Crucial MX100, MX200 and MX300 devices. Absence of a cryptographic link between the password and the Disk Encryption Key allows attackers with privileged access to SSD firmware full access to encrypted data.

References

Advisories

https://security.netapp.com/advisory/ntap-20181112-0001/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

http://www.securityfocus.com/bid/105840

Details

Source: Mitre, NVD

Published: 2018-11-20

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 1.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 4

Vector: CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00138