CVE-2019-15791

HIGH

Linux Kernel shiftfs - Integer Underflow in shiftfs_btrfs_ioctl_fd_replace

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15791.

AI-analyzed exploit summary The exploit demonstrates a reference counting flaw in shiftfs_btrfs_ioctl_fd_replace() leading to a use-after-free condition, causing a kernel crash. It includes a PoC that triggers the vulnerability via a crafted ioctl call on a shiftfs-mounted filesystem.

Description

In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.

Exploits (1)

exploitdb WORKING POC
doslinux
https://www.exploit-db.com/exploits/47693

The exploit demonstrates a reference counting flaw in shiftfs_btrfs_ioctl_fd_replace() leading to a use-after-free condition, causing a kernel crash. It includes a PoC that triggers the vulnerability via a crafted ioctl call on a shiftfs-mounted filesystem.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel shiftfs module (Ubuntu 19.10, kernel 5.3.0-19-generic)
No auth needed
Prerequisites: User namespace access · shiftfs filesystem mounted
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://usn.ubuntu.com/usn/usn-4183-1
Third Party Advisory x_refsource_misc
https://usn.ubuntu.com/usn/usn-4184-1

Scores

CVSS v3 7.1
EPSS 0.0132
EPSS Percentile 66.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-191 CWE-672
Status published
Products (4)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
linux/linux_kernel 5.0
linux/linux_kernel 5.3
Published Apr 24, 2020
Tracked Since Feb 18, 2026