#VU21630 Out-of-bounds read in Linux kernel
Vulnerability identifier: #VU21630
Vulnerability risk: Low
CVSSv3.1: 1.9 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the drivers/media/usb/dvb-usb/technisat-usb2.c USB driver in Linux kernel. A local user can use a specially crafted USB device to trigger out-of-bounds read error during data transfer and read contents of memory on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Linux kernel: 5.2.1 - 5.2.9
External links
http://git.linuxtv.org/media_tree.git/commit/?id=0c4df39e504bf925ab666132ac3c98d6cbbe380b
http://lore.kernel.org/linux-media/20190821104408.w7krumcglxo6fz5q@gofer.mess.org/
http://lore.kernel.org/lkml/b9b256cb-95f2-5fa1-9956-5a602a017c11@gmail.com/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
