Main Vulnerability Database Vulnerabilities #VU20931

NULL pointer dereference in Linux kernel - CVE-2019-15290

Published: September 9, 2019

Vulnerability identifier: #VU20931

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-15290

CWE-ID: CWE-476

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Foundation

Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the "ath6kl_usb_alloc_urb_from_pipe" function in the "drivers/net/wireless/ath/ath6kl/usb.c" file. A local attacker with physical access can insert a USB device that submits malicious input to the targeted system and cause a denial of service condition.

How to mitigate CVE-2019-15290

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2019/08/20/2
http://www.openwall.com/lists/oss-security/2019/08/22/1
https://security.netapp.com/advisory/ntap-20190905-0002/
https://syzkaller.appspot.com/bug?id=cd8b9cfe50a0bf36ee19eda2d7e2e06843dfbeaf

NULL pointer dereference in Linux kernel - CVE-2019-15290

Detailed vulnerability description

How to mitigate CVE-2019-15290

Sources

Please verify you're human