CVE-2019-8912
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
18/02/2019
Last modified:
02/06/2021
Description
In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Base Score 2.0
7.20
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19 (including) | 4.19.25 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 4.20.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:* | ||
| cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html
- http://patchwork.ozlabs.org/patch/1042902/
- http://www.securityfocus.com/bid/107063
- https://access.redhat.com/errata/RHSA-2020:0174
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-8912
- https://usn.ubuntu.com/3930-1/
- https://usn.ubuntu.com/3930-2/
- https://usn.ubuntu.com/3931-1/
- https://usn.ubuntu.com/3931-2/