CVE-2019-19813 - Vulnerability Details

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Linux	Linux Kernel
Netapp	Active Iq Unified Manager Aff A400 Aff A400 Firmware Aff A700s Aff A700s Firmware Data Availability Services Fas8300 Fas8300 Firmware Fas8700 Fas8700 Firmware H610s H610s Firmware Hci Management Node Solidfire Steelstore Cloud Integrated Storage

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:5.0.21:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
	cpe:2.3:a:netapp:data_availability_services:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:aff_a700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_a700s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:fas8300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fas8300:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:fas8700_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fas8700:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:aff_a400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_a400:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813
https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html
https://nvd.nist.gov/vuln/detail/CVE-2019-19813
https://security.netapp.com/advisory/ntap-20200103-0001/
https://usn.ubuntu.com/4414-1/
https://www.cve.org/CVERecord?id=CVE-2019-19813

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-17T05:43:52

Updated: 2024-08-05T02:25:12.703Z

Reserved: 2019-12-16T00:00:00

Link: CVE-2019-19813

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-12-17T06:15:12.780

Modified: 2024-11-21T04:35:26.520

Link: CVE-2019-19813

Redhat

Severity : Moderate

Publid Date: 2019-12-17T00:00:00Z

Links: CVE-2019-19813 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object