Anolis OS update for kernel(ANCK)4.19



| Updated: 2025-03-28
Risk Medium
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2019-18808
CVE-2019-19077
CVE-2019-19462
CVE-2019-19947
CVE-2019-19965
CVE-2019-20096
CVE-2020-10732
CVE-2020-12888
CVE-2020-13974
CVE-2020-16166
CVE-2020-8647
CVE-2020-8648
CVE-2020-8649
CWE-ID CWE-401
CWE-476
CWE-908
CWE-190
CWE-330
CWE-416
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Anolis OS
Operating systems & Components / Operating system

python3-perf
Operating systems & Components / Operating system package or component

perf
Operating systems & Components / Operating system package or component

kernel-tools-libs-devel
Operating systems & Components / Operating system package or component

kernel-tools-libs
Operating systems & Components / Operating system package or component

kernel-tools
Operating systems & Components / Operating system package or component

kernel-modules-extra
Operating systems & Components / Operating system package or component

kernel-modules
Operating systems & Components / Operating system package or component

kernel-headers
Operating systems & Components / Operating system package or component

kernel-devel
Operating systems & Components / Operating system package or component

kernel-debug-modules-extra
Operating systems & Components / Operating system package or component

kernel-debug-modules
Operating systems & Components / Operating system package or component

kernel-debug-devel
Operating systems & Components / Operating system package or component

kernel-debug-core
Operating systems & Components / Operating system package or component

kernel-debug
Operating systems & Components / Operating system package or component

kernel-core
Operating systems & Components / Operating system package or component

kernel
Operating systems & Components / Operating system package or component

bpftool
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU24433

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-18808

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ccp_run_sha_cmd()" function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows a local user to cause a denial of service (memory consumption).

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU23036

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19077

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "bnxt_re_create_srq()" function in "drivers/infiniband/hw/bnxt_re/ib_verbs.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "ib_copy_to_udata()" failures.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Null pointer dereference

EUVDB-ID: #VU92776

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19462

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of uninitialized resource

EUVDB-ID: #VU92774

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19947

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU90670

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19965

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the sas_get_port_device() function in drivers/scsi/libsas/sas_discover.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory leak

EUVDB-ID: #VU30493

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20096

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b. A remote attacker can perform a denial of service attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use of uninitialized resource

EUVDB-ID: #VU92424

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10732

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to read memory contents or crash the application.

The vulnerability exists due to use of uninitialized resource error within the fill_thread_core_info() function in fs/binfmt_elf.c. A local user can read memory contents or crash the application.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper Handling of Exceptional Conditions

EUVDB-ID: #VU28159

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12888

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a local user to perform a deinal of service (DoS) attack.

The vulnerability exists due to the VFIO PCI driver mishandles attempts to access disabled memory space. A local user can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Integer overflow

EUVDB-ID: #VU64946

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-13974

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow within drivers/tty/vt/keyboard.c if k_ascii is called several times in a row. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use of insufficiently random values

EUVDB-ID: #VU95686

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16166

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to use of insufficiently random values error within the prandom_state_selftest() function in lib/random32.c, within the update_process_times() function in kernel/time/timer.c, within the add_interrupt_randomness() function in drivers/char/random.c. A remote non-authenticated attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free

EUVDB-ID: #VU28415

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8647

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU28416

Risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8648

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free

EUVDB-ID: #VU28414

Risk: Medium

CVSSv4.0: 1.8 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-8649

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python3-perf: before 4.19.91-23.4

perf: before 4.19.91-23.4

kernel-tools-libs-devel: before 4.19.91-23.4

kernel-tools-libs: before 4.19.91-23.4

kernel-tools: before 4.19.91-23.4

kernel-modules-extra: before 4.19.91-23.4

kernel-modules: before 4.19.91-23.4

kernel-headers: before 4.19.91-23.4

kernel-devel: before 4.19.91-23.4

kernel-debug-modules-extra: before 4.19.91-23.4

kernel-debug-modules: before 4.19.91-23.4

kernel-debug-devel: before 4.19.91-23.4

kernel-debug-core: before 4.19.91-23.4

kernel-debug: before 4.19.91-23.4

kernel-core: before 4.19.91-23.4

kernel: before 4.19.91-23.4

bpftool: before 4.19.91-23.4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2021:0213


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###