#VU34375 Input validation error in Linux kernel - CVE-2019-20810

Cybersecurity Help s.r.o.

Published: 2020-06-03 | Updated: 2020-08-08

Vulnerability identifier: #VU34375

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-20810

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.0 - 5.0.21, 5.1 rc1 - 5.1.21, 5.2 - 5.2.21, 5.3 - 5.3.18, 5.4 - 5.4.42, 5.5 - 5.5.19

External links
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00008.html
https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9453264ef58638ce8976121ac44c07a3ef375983
https://usn.ubuntu.com/4427-1/
https://usn.ubuntu.com/4439-1/
https://usn.ubuntu.com/4440-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Slackware Linux update for kernel

Ubuntu update for linux

Input validation error in Linux kernel