CVE-2019-15031 — Improper Synchronization in Linux

CWE-662 — Improper Synchronization CWE-200 — Sensitive Information Exposure11 documents8 sources

Severity

4.4MEDIUMNVD

OSV7.8

EPSS

0.1%

top 84.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Canonical Ubuntu Linux +2 more

Timeline

PublishedSep 13

Latest updateMay 24

Description

In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages5 packages

▶Debianlinux/linux_kernel< 5.2.17-1+3

▶Ubuntulinux/linux_kernel< 4.4.0-164.192+2

▶NVDlinux/linux_kernel5.2.14

▶debiandebian/linux< linux 5.2.17-1 (bookworm)

▶NVDopensuse/leap15.0, 15.1+1

Also affects: Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.04, Enterprise Linux 7.0, 8.0

Patches

Patch: www.openwall.com ↗Patch: git.kernel.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-68fj-98v6-jx78: In the Linux kernel through 5↗2022-05-24

▶

OSV

linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial vulnerabilities↗2019-09-18

▶

OSV

linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities↗2019-09-18

▶

OSV

CVE-2019-15031: In the Linux kernel through 5↗2019-09-13

▶

Kernel

powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts↗2019-09-04

▶

📋Vendor Advisories

Ubuntu

Linux kernel vulnerabilities↗2019-09-18

▶

Red Hat

kernel: powerpc: local user can read vector registers of other users' processes via an interrupt↗2019-09-13

▶

Debian

CVE-2019-15031: linux - In the Linux kernel through 5.2.14 on the powerpc platform, a local user can rea...↗2019

▶

💬Community

Bugzilla

CVE-2019-15031 kernel: powerpc: local user can read vector registers of other users' processes via an interrupt↗2019-10-09

▶

Bugzilla

CVE-2019-15031 kernel: powerpc: local user can read vector registers of other users' processes via an interrupt [fedora-all]↗2019-10-09

▶