CVE-2019-19319
MEDIUMLinux Kernel < 5.2 - Use-After-Free in ext4_xattr_set_entry
Title source: llmDescription
In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30.
References (10)
Core 10
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19319
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200103-0001/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4698
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4391-1/
Issue Tracking x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1158021
Patch x_refsource_confirm
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=345c0dbf3a30
Scores
CVSS v3
6.5
EPSS
0.0044
EPSS Percentile
63.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
CWE-787
Status
published
Products (4)
linux/linux_kernel
5.0.21
opensuse/leap
15.1
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
Published
Nov 27, 2019
Tracked Since
Feb 18, 2026