Memory leak in Linux kernel

#VU30603 Memory leak in Linux kernel

Cybersecurity Help s.r.o.

Published: 2019-11-18 | Updated: 2020-07-17

Vulnerability identifier: #VU30603

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19047

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5. A remote attacker can perform a denial of service attack.

Mitigation
Update to version 5.3.11.

Vulnerable software versions

Linux kernel: 5.3.1 - 5.3.10

External links
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11
http://github.com/torvalds/linux/commit/c7ed6d0183d5ea9bc31bcaeeba4070bd62546471
http://security.netapp.com/advisory/ntap-20191205-0001/
http://usn.ubuntu.com/4225-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Linux kernel