CVE-2019-15902

MEDIUM

Linux Kernel 4.4-5.2 Spectre-v1 Exposure via Incorrect ptrace Backport

Title source: llm
STIX 2.1

Description

A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

References (13)

Core 13
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Sep/41
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4531
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20191004-0001/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4157-1/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4162-1/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4157-2/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4163-1/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4163-2/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4162-2/

Scores

CVSS v3 5.6
EPSS 0.0009
EPSS Percentile 24.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (9)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
linux/linux_kernel 4.4 - 4.4.190
netapp/active_iq_performance_analytics_services
netapp/baseboard_management_controller_firmware
netapp/service_processor
opensuse/leap 15.0
opensuse/leap 15.1
Published Sep 04, 2019
Tracked Since Feb 18, 2026