CVE-2019-8912 Detail Modified This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. Current Description In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

View Analysis Description Analysis Description In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr. Severity CVSS Version 3.x CVSS Version 2.0



CVSS 3.x Severity and Metrics:

NIST: NVD Base Score: 7.8 HIGH Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS 2.0 Severity and Metrics:



NIST: NVD Base Score: 7.2 HIGH Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C) Weakness Enumeration CWE-ID CWE Name Source CWE-416 Use After Free NIST Known Affected Software Configurations Switch to CPE 2.2 CPEs loading, please wait. Denotes Vulnerable Software

Are we missing a CPE here? Please let us know.

Change History 8 change records found show changes CVE Modified by MITRE 1/21/2020 3:15:14 PM Action Type Old Value New Value Added Reference https://access.redhat.com/errata/RHSA-2020:0174 [No Types Assigned]



CVE Modified by MITRE 4/12/2019 8:29:01 AM Action Type Old Value New Value Added Reference http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html [No Types Assigned]



CVE Modified by MITRE 4/02/2019 9:29:06 PM Action Type Old Value New Value Added Reference https://usn.ubuntu.com/3930-1/ [No Types Assigned]



Added Reference https://usn.ubuntu.com/3930-2/ [No Types Assigned]



Added Reference https://usn.ubuntu.com/3931-1/ [No Types Assigned]



Added Reference https://usn.ubuntu.com/3931-2/ [No Types Assigned]



Reanalysis 3/06/2019 1:11:37 PM Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*



Changed CVSS V2 (AV:N/AC:L/Au:N/C:P/I:P/A:P)



(AV:L/AC:L/Au:N/C:C/I:C/A:C)



Changed CVSS V3 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H



Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-8912 [Issue Tracking, Patch, Third Party Advisory]



Modified Analysis 2/25/2019 3:37:09 PM Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (including) 4.20.10



OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (including) 4.20.11



CVE Modified by MITRE 2/20/2019 8:29:00 PM Action Type Old Value New Value Changed Description In the Linux kernel through 4.20.10, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.



In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.



Initial Analysis 2/19/2019 4:12:17 PM Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (including) 4.20.10



Added CVSS V2 (AV:N/AC:L/Au:N/C:P/I:P/A:P)



Added CVSS V3 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



Added CWE CWE-416



Changed Reference Type http://patchwork.ozlabs.org/patch/1042902/ No Types Assigned



http://patchwork.ozlabs.org/patch/1042902/ Patch, Third Party Advisory



Changed Reference Type http://www.securityfocus.com/bid/107063 No Types Assigned



http://www.securityfocus.com/bid/107063 Third Party Advisory, VDB Entry



CVE Modified by MITRE 2/19/2019 6:29:09 AM Action Type Old Value New Value Added Reference http://www.securityfocus.com/bid/107063 [No Types Assigned]



Quick Info CVE Dictionary Entry:

CVE-2019-8912

NVD Published Date:

02/18/2019

NVD Last Modified:

04/12/2019

Source:

MITRE

