CVE-2019-15902 — Sensitive Information Exposure in Linux

CWE-200 — Sensitive Information Exposure CWE-416 — Use After Free19 documents7 sources

Severity

5.6MEDIUMNVD

OSV7.8OSV7.0OSV5.5

EPSS

0.1%

top 75.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Debian Linux +1 more

Timeline

PublishedSep 4

Latest updateMay 24

Description

A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages5 packages

▶Debianlinux/linux_kernel< 5.2.17-1+3

▶Ubuntulinux/linux_kernel< 4.4.0-166.195+1

▶NVDlinux/linux_kernel4.4 — 4.4.190+4

▶debiandebian/linux< linux 5.2.17-1 (bookworm)

▶NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 10.0, 8.0, 9.0

Patches

Patch: grsecurity.net ↗Patch: grsecurity.net ↗

🔴Vulnerability Details

GHSA

GHSA-vww9-mp9g-8qvc: A backporting error was discovered in the Linux stable/longterm kernel 4↗2022-05-24

▶

OSV

linux-lts-xenial, linux-aws vulnerabilities↗2019-10-23

▶

OSV

linux-azure vulnerabilities↗2019-10-23

▶

OSV

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities↗2019-10-22

▶

OSV

linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities↗2019-10-22

▶

📋Vendor Advisories

Ubuntu

Linux kernel (Xenial HWE) vulnerabilities↗2019-10-23

▶

Ubuntu

Linux kernel (Azure) vulnerabilities↗2019-10-23

▶

Ubuntu

Linux kernel vulnerabilities↗2019-10-22

▶

Ubuntu

Linux kernel (HWE) vulnerabilities↗2019-10-22

▶

Ubuntu

Linux kernel vulnerabilities↗2019-10-22

▶

💬Community

Bugzilla

CVE-2019-15902 kernel: backporting error in ptrace_get_debugreg()↗2019-09-13

▶

Bugzilla

CVE-2019-15902 kernel: backporting error in ptrace_get_debugreg() [fedora-all]↗2019-09-13

▶

Bugzilla

CVE-2019-15902 kernel: backporting error in ptrace_get_debugreg() [fedora-all]↗2019-09-13

▶