Slackware Linux update for kernel
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 24 |
| CVE-ID | CVE-2020-12351 CVE-2020-12352 CVE-2020-24490 CVE-2019-20810 CVE-2020-12771 CVE-2020-15393 CVE-2018-10323 CVE-2020-26088 CVE-2019-19054 CVE-2020-25212 CVE-2019-9445 CVE-2018-13094 CVE-2018-8043 CVE-2020-16166 CVE-2020-14331 CVE-2019-19448 CVE-2019-19074 CVE-2019-19073 CVE-2020-14314 CVE-2020-25285 CVE-2020-25284 CVE-2020-14390 CVE-2020-25643 CVE-2020-25211 |
| CWE-ID | CWE-20 CWE-284 CWE-119 CWE-401 CWE-476 CWE-276 CWE-367 CWE-125 CWE-330 CWE-787 CWE-416 CWE-863 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #12 is available. |
| Vulnerable software |
Slackware Linux Operating systems & Components / Operating system linux-4.4.240/kernel-headers Operating systems & Components / Operating system package or component linux-4.4.240/kernel-modules Operating systems & Components / Operating system package or component linux-4.4.240/kernel-huge Operating systems & Components / Operating system package or component linux-4.4.240/kernel-generic Operating systems & Components / Operating system package or component |
| Vendor | Slackware |
Security Bulletin
This security bulletin contains information about 24 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU47545
Risk: Medium
CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-12351
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU47546
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-12352
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crafted input to the application and gain access to sensitive information.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Buffer overflow
EUVDB-ID: #VU47549
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-24490
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crated data to the system and perform a denial of service (DoS) attack.
Update the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Input validation error
EUVDB-ID: #VU34375
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-20810
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU28169
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-12771
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a deadlock if a coalescing operation fails in "btree_gc_coalesce" in "drivers/md/bcache/btree.c" file. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU31921
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-15393
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists due memory leak in "drivers/usb/misc/usbtest.c" file. A local user can force the application to leak memory and perform denial of service attack.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) NULL pointer dereference
EUVDB-ID: #VU12185
Risk: Low
CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-10323
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the xfs_bmap_extents_to_btree function in the fs/xfs/libxfs/xfs_bmap.c source code file due to NULL pointer dereference when handling Extended File System (XFS) images. A local attacker can mount a specially crafted XFS filesystem image when filesystem operations are executed on the mounted image and cause the service to crash.
Update the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Incorrect default permissions
EUVDB-ID: #VU92767
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-26088
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to manipulate data.
A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory leak
EUVDB-ID: #VU23021
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19054
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the "cx23888_ir_probe()" function in "drivers/media/pci/cx23885/cx23888-ir.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "kfifo_alloc()" failures.
Update the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU51433
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-25212
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a TOCTOU mismatch in the NFS client code in the Linux kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges. MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU35550
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-9445
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a missing bounds check when processing files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Null pointer dereference
EUVDB-ID: #VU13852
Risk: Low
CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-13094
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to NULL pointer dereference in the fs/xfs/libxfs/xfs_attr_leaf.c source code file in the Extended File System (XFS) component when the xfs_da_shrink_inode() function is called with a NULL byte pointer. A local attacker can mount and perform operations on a crafted XFS image, trigger a NULL pointer dereference condition in the xfs_trans_binval() function and cause the service to crash.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) NULL pointer dereference
EUVDB-ID: #VU11765
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-8043
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c due to improper validation of certain resource availability. A local attacker can trigger NULL pointer dereference and cause the service to crash.
Update the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use of insufficiently random values
EUVDB-ID: #VU95686
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-16166
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to use of insufficiently random values error within the prandom_state_selftest() function in lib/random32.c, within the update_process_times() function in kernel/time/timer.c, within the add_interrupt_randomness() function in drivers/char/random.c. A remote non-authenticated attacker can gain access to sensitive information.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Out-of-bounds write
EUVDB-ID: #VU48590
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14331
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Linux kernel’s implementation of the invert video code on VGA consoles. A local user with can run a specially crafted program to call VT_RESIZE IOCTL, trigger an out-of-bounds write and execute arbitrary code on the target system with elevated privileges.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use-after-free
EUVDB-ID: #VU34983
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-19448
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Memory leak
EUVDB-ID: #VU23029
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-19074
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the "ath9k_wmi_cmd()" function in "drivers/net/wireless/ath/ath9k/wmi.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption).
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Memory leak
EUVDB-ID: #VU23033
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-19073
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the "htc_config_pipe_credits()", "htc_setup_complete()" and "htc_connect_service()" functions in "drivers/net/wireless/ath/ath9k/htc_hst.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "wait_for_completion_timeout()" failures. MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds read
EUVDB-ID: #VU47106
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14314
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists.
Update the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) NULL pointer dereference
EUVDB-ID: #VU90669
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-25285
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to NULL pointer dereference within the allowed_mems_nr(), hugetlb_sysctl_handler_common() and hugetlb_overcommit_handler() functions in mm/hugetlb.c. A local privileged user can execute arbitrary code.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Incorrect authorization
EUVDB-ID: #VU92423
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-25284
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to manipulate data.
The vulnerability exists due to incorrect authorization error within the rbd_config_info_show(), rbd_image_refresh(), do_rbd_add() and do_rbd_remove() functions in drivers/block/rbd.c. A local privileged user can manipulate data.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Out-of-bounds read
EUVDB-ID: #VU47220
Risk: Medium
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14390
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds read that occurs leading to memory corruption or a denial of service. This highest threat from this vulnerability is to system availability.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Out-of-bounds read
EUVDB-ID: #VU51881
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-25643
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the HDLC_PPP module of the Linux kernel in the ppp_cp_parse_cr() function. A remote authenticated user can trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Buffer overflow
EUVDB-ID: #VU51545
Risk: Low
CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-25211
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to crash the system.
The vulnerability exists due to a boundary error within the ctnetlink_parse_tuple_filter() function in net/netfilter/nf_conntrack_netlink.c. A local user can inject conntrack netlink configuration, trigger buffer overflow and crash the kernel or force usage of incorrect protocol numbers.
MitigationUpdate the affected package kernel.
Vulnerable software versionsSlackware Linux: 14.2
linux-4.4.240/kernel-headers: before 4.4.240_smp
linux-4.4.240/kernel-modules: before 4.4.240
linux-4.4.240/kernel-huge: before 4.4.240
linux-4.4.240/kernel-generic: before 4.4.240
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-headers:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-modules:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-huge:*:*:*:*:*:slackware_linux:*:*
- cpe:2.3:a:slackware:linux-4.4.240_kernel-generic:*:*:*:*:*:slackware_linux:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
