CVE-2019-11599
HighThe coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVSS 3.1 score
7.0
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness type
CWE-667CVE-2019-11599 is a Improper Locking vulnerability
What is Improper Locking?
The product does not properly acquire or release a lock, which can lead to unexpected behaviour. Learn more on MITRE CWE
References
The following references provide additional information about CVE-2019-11599 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Exploit Third Party Advisory VDB Entry
-
Packet Stormhttp://packetstormsecurity.com/files/153702/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.htmlThird Party Advisory VDB Entry
-
Mailing List Third Party Advisory
-
Mailing List Third Party Advisory
-
Mailing List Third Party Advisory
-
Securityfocushttp://www.securityfocus.com/bid/108113Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Third Party Advisory VDB Entry
-
Exploit Mailing List Third Party Advisory
-
Mailing List Vendor Advisory
-
Mailing List Vendor Advisory
-
Mailing List Vendor Advisory
-
Exploit
-
Third Party Advisory
-
Broken Link
-
Mailing List Third Party Advisory
-
Mailing List Third Party Advisory
-
Third Party Advisory
-
Third Party Advisory VDB Entry
-
Third Party Advisory
-
Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/4069-1/Third Party Advisory
-
Ubuntu Securityhttps://usn.ubuntu.com/4069-2/Third Party Advisory VDB Entry
-
Ubuntu Securityhttps://usn.ubuntu.com/4095-1/Third Party Advisory VDB Entry
-
Ubuntu Securityhttps://usn.ubuntu.com/4115-1/Third Party Advisory VDB Entry
-
Ubuntu Securityhttps://usn.ubuntu.com/4118-1/Third Party Advisory VDB Entry
-
Debian Securityhttps://www.debian.org/security/2019/dsa-4465Third Party Advisory
-
Exploit-DBhttps://www.exploit-db.com/exploits/46781/Exploit Third Party Advisory VDB Entry
-
Third Party Advisory
-
PatchKernel patch commithttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04f5866e41fb70690e28397487d8bd8eea7d712a
-
PatchKernel patch commithttps://github.com/torvalds/linux/commit/04f5866e41fb70690e28397487d8bd8eea7d712a
Frequently asked questions
-
What is CVE-2019-11599?
CVE-2019-11599 is a High severity Linux kernel vulnerability with a CVSS score of 7.0 out of 10 , classified as an Improper Locking flaw (CWE-667) . CVE-2019-11599 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2019-11599?
CVE-2019-11599 has a CVSS score of 7.0 out of 10, rated High severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. -
Is there a patch available for CVE-2019-11599?
No patch is currently available for CVE-2019-11599. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
-
Is CVE-2019-11599 actively exploited?
No — CVE-2019-11599 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
-
What is Improper Locking (CWE-667)?
The product does not properly acquire or release a lock, which can lead to unexpected behaviour. View CWE-667 on MITRE CWE →