Race condition in Linux kernel - CVE-2019-3016
Published: January 31, 2020 / Updated: June 1, 2020
Vulnerability identifier: #VU28411
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-3016
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local authenticated user to gain access to sensitive information.
In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.
How to mitigate CVE-2019-3016
Install update from vendor's website.
Sources
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.103
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.19
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.3
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.119