Multiple vulnerabilities in Linux kernel



Risk Medium
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2019-19077
CVE-2019-19078
CVE-2019-19072
CVE-2019-19073
CVE-2019-19063
CVE-2019-19068
CVE-2019-19071
CVE-2019-19074
CVE-2019-19082
CVE-2019-19066
CVE-2019-19053
CVE-2019-19059
CVE-2019-19058
CVE-2019-19057
CVE-2019-19050
CVE-2019-19054
CVE-2019-19056
CVE-2019-19062
CVE-2019-19043
CWE-ID CWE-401
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Linux kernel
Operating systems & Components / Operating system

Vendor Linux Foundation

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU23036

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19077

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "bnxt_re_create_srq()" function in "drivers/infiniband/hw/bnxt_re/ib_verbs.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "ib_copy_to_udata()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/4a9d46a9fe14401f21df69cea97c62396d5fb053


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU23035

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19078

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ath10k_usb_hif_tx_sg()" function in "drivers/net/wireless/ath/ath10k/usb.c" file. A remote attacker can cause a denial of service condition (memory consumption) by triggering "usb_submit_urb()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/b8d17e7d93d2beb89e4f34c59996376b8b544792


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU23034

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19072

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "predicate_parse()" function in "kernel/trace/trace_events_filter.c" file. A local attacker can cause a denial of service (memory consumption).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/96c5c6e6a5b6db592acae039fed54b5c8844cd35
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU23033

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19073

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "htc_config_pipe_credits()", "htc_setup_complete()" and "htc_connect_service()" functions in "drivers/net/wireless/ath/ath9k/htc_hst.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "wait_for_completion_timeout()" failures.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/853acf7caf10b828102d92d05b5c101666a6142b
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory leak

EUVDB-ID: #VU23032

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19063

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "rtl_usb_probe()" function in "drivers/net/wireless/realtek/rtlwifi/usb.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/3f93616951138a598d930dcaec40f2bfd9ce43bb
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory leak

EUVDB-ID: #VU23031

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19068

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "rtl8xxxu_submit_int_urb()" function in "drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c" file. A remote attacker on the local network can cause a denial of service (memory consumption) by triggering "usb_submit_urb()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory leak

EUVDB-ID: #VU23030

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19071

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "rsi_send_beacon()" function in "drivers/net/wireless/rsi/rsi_91x_mgmt.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "rsi_prepare_beacon()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/d563131ef23cbc756026f839a82598c8445bc45f
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory leak

EUVDB-ID: #VU23029

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19074

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ath9k_wmi_cmd()" function in "drivers/net/wireless/ath/ath9k/wmi.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/728c1e2a05e4b5fc52fab3421dce772a806612a2
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory leak

EUVDB-ID: #VU23028

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19082

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the *create_resource_pool() functions in "drivers/gpu/drm/amd/display/dc" file. A local attacker can cause a denial of service condition (memory consumption).

This vulnerability affects the following functions:

  • dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
  • dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c
  • dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c
  • dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
  • dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/104c307147ad379617472dd91a5bcb368d72bd6d


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Memory leak

EUVDB-ID: #VU23027

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19066

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "bfad_im_get_stats()" function in "drivers/scsi/bfa/bfad_attr.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "bfa_port_get_stats()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/0e62395da2bd5166d7c9e14cbc7503b256a34cb0
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory leak

EUVDB-ID: #VU23026

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19053

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "rpmsg_eptdev_write_iter()" function in "drivers/rpmsg/rpmsg_char.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "copy_from_iter_full()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/bbe692e349e2a1edf3fe0a29a0e05899c9c94d51


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory leak

EUVDB-ID: #VU23025

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19059

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "iwl_pcie_ctxt_info_gen3_init()" function in "drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "iwl_pcie_init_fw_sec() or dma_alloc_coherent()" failures.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/0f4f199443faca715523b0659aa536251d8b978f
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory leak

EUVDB-ID: #VU23024

Risk: Medium

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19058

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "alloc_sgtable()" function in "drivers/net/wireless/intel/iwlwifi/fw/dbg.c" file. A remote attacker on the local network can cause a denial of service (memory consumption) by triggering "alloc_page()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/b4b814fec1a5a849383f7b3886b654a13abbda7d
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory leak

EUVDB-ID: #VU23023

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19057

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "mwifiex_pcie_init_evt_ring()" function in "drivers/net/wireless/marvell/mwifiex/pcie.c"  file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "mwifiex_map_pci_memory()" failures.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/d10dcb615c8e29d403a24d35f8310a7a53e3050c
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory leak

EUVDB-ID: #VU23022

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19050

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "crypto_reportstat()" function in "crypto/crypto_user_stat.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "crypto_reportstat_alg()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/c03b04dcdba1da39903e23cc4d072abf8f68f2dd
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory leak

EUVDB-ID: #VU23021

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19054

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "cx23888_ir_probe()" function in "drivers/media/pci/cx23885/cx23888-ir.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "kfifo_alloc()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/a7b2df76b42bdd026e3106cf2ba97db41345a177
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory leak

EUVDB-ID: #VU23020

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19056

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "mwifiex_pcie_alloc_cmdrsp_buf()" function in "drivers/net/wireless/marvell/mwifiex/pcie.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "mwifiex_map_pci_memory()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/db8fd2cde93227e566a412cf53173ffa227998bc
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory leak

EUVDB-ID: #VU23019

Risk: Low

CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19062

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "crypto_report()" function in "crypto/crypto_user_base.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "crypto_report_alg()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/ffdde5932042600c6807d46c1550b28b0db6a3bc
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory leak

EUVDB-ID: #VU23018

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19043

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "i40e_setup_macvlans()" function in "drivers/net/ethernet/intel/i40e/i40e_main.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "i40e_setup_channel()" failures.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.3 - 5.3.11

CPE2.3 External links

http://github.com/torvalds/linux/commit/27d461333459d282ffa4a2bdb6b215a59d493a8f
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###