NULL pointer dereference in Linux kernel and Cisco Unified Contact Center Enterprise - CVE-2019-15098
Published: September 6, 2019 / Updated: May 30, 2020
Vulnerability identifier: #VU20915
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-15098
CWE-ID: CWE-476
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Cisco Systems, Inc
Cisco Systems, Inc
Affected software:
Linux kernel
Cisco Unified Contact Center Enterprise
Linux kernel
Cisco Unified Contact Center Enterprise
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the "drivers/net/wireless/ath/ath6kl/usb.c". A remote attacker can trigger denial of service conditions via an incomplete address in an endpoint descriptor.
How to mitigate CVE-2019-15098
Install update from vendor's website.
Sources
- https://lore.kernel.org/linux-wireless/20190804002905.11292-1-benquike@gmail.com/T/#u
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.82
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.152
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.199
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.199
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9