cbcvebase.
CVE-2019-15794
published 2020-04-24

CVE-2019-15794: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file…

PriorityP431medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.16%
63.1th percentile
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debianlinux< linux 5.16.7-1 (bookworm)linux 5.16.7-1 (bookworm)
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.16.7-15.16.7-1
linuxlinux_kernel>= 0 < 5.16.7-15.16.7-1
linuxlinux_kernel>= 0 < 5.16.7-15.16.7-1
ubuntulinux_kernel>= 5.0 kernel < 5.0.0-37.405.0.0-37.40
ubuntulinux_kernel>= 5.3 kernel < 5.3.0-24.265.3.0-24.26

CVSS provenance

nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv6.7MEDIUM
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.