Infinite loop in Linux kernel - CVE-2019-3819
Published: January 29, 2019 / Updated: May 30, 2020
Vulnerability identifier: #VU17252
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-3819
CWE-ID: CWE-835
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the function hid_debug_events_read() in drivers/hid/hid-debug.c file due to infinite loop when certain parameters passed from a userspace. A local attacker can execute a specially crafted program that submits malicious input to cause a system lock up and a denial of service.
How to mitigate CVE-2019-3819
Install updates from vendor's website.
Sources
- https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git/commit/?id=13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3819
- https://github.com/torvalds/linux/commit/717adfdaf14704fd3ec7fa2c04520c0723247eac
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.175
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.157
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.100