CVE-2018-19854 — Sensitive Information Exposure in Kernel
Severity
4.7MEDIUMNVD
OSV7.0OSV5.5OSV2.1
EPSS
0.1%
top 83.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 4
Latest updateMay 13
Description
An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).
CVSS vector
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6
Affected Packages4 packages
Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10
Patches
🔴Vulnerability Details
6OSV▶
linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities↗2019-03-05