CVE-2019-11599

HIGH

Linux kernel <5.0.10 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11599. PoCs published by Google Security Research.

AI-analyzed exploit summary This PoC demonstrates a use-after-free vulnerability in the Linux kernel's `elf_core_dump` function, triggered by concurrent userfaultfd operations during core dumping. The exploit leverages race conditions between `userfaultfd_unregister` and core dumping to cause a kernel crash.

Description

The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdoslinux
https://www.exploit-db.com/exploits/46781

This PoC demonstrates a use-after-free vulnerability in the Linux kernel's `elf_core_dump` function, triggered by concurrent userfaultfd operations during core dumping. The exploit leverages race conditions between `userfaultfd_unregister` and core dumping to cause a kernel crash.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Linux kernel versions 4.3 to 5.0-rc8
No auth needed
Prerequisites: userfaultfd syscall access · ability to trigger a core dump
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (39)

Core 39
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/29/2
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/29/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/30/1
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46781/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108113
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4465
Broken Link mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jun/26
Third Party Advisory, VDB Entry vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
Third Party Advisory, VDB Entry vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jul/33
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4069-1/
Third Party Advisory, VDB Entry vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4069-2/
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2043
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2029
Third Party Advisory, VDB Entry vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4095-1/
Third Party Advisory, VDB Entry vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4115-1/
Third Party Advisory, VDB Entry vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4118-1/
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3309
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3517
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0100
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0103
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0179
Third Party Advisory, VDB Entry vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0543
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Mailing List, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114
Mailing List, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37
Mailing List, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1790
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152663/Linux-Missing-Lockdown.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190517-0002/
Third Party Advisory x_refsource_confirm
https://support.f5.com/csp/article/K51674118
Third Party Advisory, VDB Entry x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200608-0001/

Scores

CVSS v3 7.0
EPSS 0.0099
EPSS Percentile 57.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-667
Status published
Products (1)
linux/linux_kernel 2.16.12 - 3.16.66
Published Apr 29, 2019
Tracked Since Feb 18, 2026