Fedora 29 update for kernel, kernel-headers, kernel-tools
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-3882 CVE-2019-9857 |
| CWE-ID | CWE-400 CWE-401 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system kernel-tools Operating systems & Components / Operating system package or component kernel-headers Operating systems & Components / Operating system package or component kernel Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU18377
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-3882
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform denial of service (DoS) attack.
The vulnerability exists within Linux kernel's vfio interface implementation, related to incorrect permission management. A local user with administrative privileges of the device, connected to vfio-pci interface can exhaust all system resources and perform denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 29
kernel-tools: before 5.0.6-200.fc29
kernel-headers: before 5.0.6-200.fc29
kernel: before 5.0.6-200.fc29
CPE2.3- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:kernel-tools:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:kernel-headers:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:kernel:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2019-be9add5b77
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU90490
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-9857
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the destroy_super_work() function in fs/super.c, within the fsnotify_sb_delete() function in fs/notify/fsnotify.c. A local user can perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 29
kernel-tools: before 5.0.6-200.fc29
kernel-headers: before 5.0.6-200.fc29
kernel: before 5.0.6-200.fc29
CPE2.3- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:kernel-tools:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:kernel-headers:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:kernel:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2019-be9add5b77
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
