Multiple vulnerabilities in Linux kernel
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-19530 CVE-2019-19537 |
| CWE-ID | CWE-416 CWE-362 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU30566
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-19530
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to use-after-free error in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. A local user can use a malicious USB device to trigger use-after-free error and execute arbitrary code on the system with elevated privileges.
MitigationUpdate to version 5.2.10.
Vulnerable software versionsLinux kernel: 5.2.1 - 5.2.9
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html
https://www.openwall.com/lists/oss-security/2019/12/03/4
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.10
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Race condition
EUVDB-ID: #VU30569
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-19537
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsLinux kernel: 5.2.1 - 5.2.9
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html
https://www.openwall.com/lists/oss-security/2019/12/03/4
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.10
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=303911cfc5b95d33687d9046133ff184cf5043ff
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
