Multiple vulnerabilities in Linux kernel

Published: 2019-11-06 | Updated: 2019-12-25

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-18786 CVE-2019-18683
CWE-ID	CWE-401 CWE-362
Exploitation vector	Local
Public exploit	N/A
Vulnerable software Subscribe	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

UPDATED: 25.12.2019

Updated references section for vulnerability #2.

1) Memory leak

EUVDB-ID: #VU22566

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18786

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak within the rcar_drif_g_fmt_sdr_cap() function in drivers/media/platform/rcar_drif.c in Linux kernel. A local user can disclose uninitialized memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3.1 - 5.3.8

External links

http://patchwork.linuxtv.org/patch/59542/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU22567

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18683

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')