Out-of-bounds write in Linux kernel - CVE-2019-14821
Published: September 21, 2019 / Updated: May 30, 2020
Vulnerability identifier: #VU21255
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-14821
CWE-ID: CWE-787
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the KVM coalesced MMIO support functionality due to incorrect processing of shared indexes. A local user can run a specially crafted application to trigger an out-of-bounds write error and write data to arbitrary address in the kernel memory.
Successful vulnerability exploitation may allow an attacker to execute arbitrary code on the system with root privileges.
How to mitigate CVE-2019-14821
Install updates from vendor's repository.
Sources
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.1
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.17
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.194
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.194
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.75
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.146
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4