Out-of-bounds write in Linux kernel - CVE-2019-14821
Published: September 21, 2019 / Updated: May 30, 2020
Vulnerability identifier: #VU21255
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-14821
CWE-ID: CWE-787
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the KVM coalesced MMIO support functionality due to incorrect processing of shared indexes. A local user can run a specially crafted application to trigger an out-of-bounds write error and write data to arbitrary address in the kernel memory.
Successful vulnerability exploitation may allow an attacker to execute arbitrary code on the system with root privileges.
Remediation
Install updates from vendor's repository.
External links
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.1
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.17
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.194
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.194
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.75
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.146
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4