CVE-2019-19049

HIGH

Linux kernel <5.3.10 - Memory Corruption

Title source: llm

Description

A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot

References (4)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html

[Issue Tracking] https://bugzilla.suse.com/show_bug.cgi?id=1157173

[Release Notes] https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.10

[Patch] https://github.com/torvalds/linux/commit/e13de8fe0d6a51341671bbe384826d527afe8d44

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0068

EPSS Percentile 71.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401

Status published

Affected Products (2)

linux/linux_kernel < 4.4.200

opensuse/leap

Timeline

Published Nov 18, 2019

Tracked Since Feb 18, 2026