PT-2019-4661 · Linux+2 · Linux Kernel+2

Published

2019-11-25

·

Updated

2024-11-29

·

CVE-2019-19241

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.4.2
Description The issue is related to the io uring feature in the Linux kernel, which can lead to requests being executed with UID 0 and full capabilities, even when initiated by an unprivileged user. This can allow an attacker to bypass intended restrictions, such as adding an IPv4 address to the loopback interface. The problem arises because IORING OP SENDMSG operations are sometimes performed by a kernel worker thread without considering the context of the requesting user. The estimated number of potentially affected devices is not provided.
Recommendations For Linux kernel versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the io uring feature until a patch is available.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2019-3293
ALT-PU-2019-3343
ALT-PU-2019-3369
ALT-PU-2020-1198
ALT-PU-2020-1421
ALT-PU-2020-1450
ALT-PU-2020-1501
ALT-PU-2020-1714
ALT-PU-2020-2410
ALT-PU-2020-2433
ALT-PU-2021-1870
BDU:2020-00853
CVE-2019-19241
USN-4284-1

Affected Products

Alt Linux
Linux Kernel
Ubuntu