CVE-2019-16746
published 2019-09-24CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head…
PriorityP352critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
12.65%
95.8th percentile
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 5.3.7-1 (bookworm) | linux 5.3.7-1 (bookworm) |
| fedoraproject | fedora | — | — |
| android | — | — | |
| linux | linux_kernel | >= 0 < 5.3.7-1 | 5.3.7-1 |
| linux | linux_kernel | >= 0 < 5.3.7-1 | 5.3.7-1 |
| linux | linux_kernel | >= 0 < 5.3.7-1 | 5.3.7-1 |
| linux | linux_kernel | >= 0 < 5.3.7-1 | 5.3.7-1 |
| linux | linux_kernel | >= 0 < 4.4.0-168.197 | 4.4.0-168.197 |
| linux | linux_kernel | >= 0 < 4.4.0-169.198 | 4.4.0-169.198 |
| linux | linux_kernel | >= 0 < 4.15.0-72.81 | 4.15.0-72.81 |
| linux | linux_kernel | >= 2.6.25 < 3.16.79 | 3.16.79 |
| linux | linux_kernel | >= 3.17 < 4.4.197 | 4.4.197 |
| linux | linux_kernel | >= 4.10 < 4.14.149 | 4.14.149 |
| linux | linux_kernel | >= 4.15 < 4.19.79 | 4.19.79 |
| linux | linux_kernel | >= 4.20 < 5.3.6 | 5.3.6 |
| linux | linux_kernel | >= 4.5 < 4.9.197 | 4.9.197 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7rf2-mmqc-5w99: An issue was discovered in net/wireless/nl80211
ghsa_unreviewed·2022-05-24
CVE-2019-16746 [HIGH] CWE-120 GHSA-7rf2-mmqc-5w99: An issue was discovered in net/wireless/nl80211
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
Kernel
fortify: Detect struct member overflows in memcpy() at compile-time
kernel_security·2021-04-20
CVE-2019-0145 fortify: Detect struct member overflows in memcpy() at compile-time
fortify: Detect struct member overflows in memcpy() at compile-time
memcpy() is dead; long live memcpy()
tl;dr: In order to eliminate a large class of common buffer overflow
flaws that continue to persist in the kernel, have memcpy() (under
CONFIG_FORTIFY_SOURCE) perform bounds checking of the destination struct
member when they have a known size. This would have caught all of the
memcpy()-related buffer write overflow flaws identified in at least the
last three years.
Background and analysis:
While stack-based buffer overflow flaws are largely mitigated by stack
canaries (and similar) features, heap-based buffer overflow flaws continue
to regularly appear in the kernel. Many classes of heap buffer overflows
are mitigated by FORTIFY_SOURCE when using the strcpy() family of
functions, b
OSV
CVE-2019-16746: In multiple methods, there is a possible out of bounds read due to a missing bounds check during initial processing of a beacon packet
osv·2020-08-01
CVE-2019-16746 CVE-2019-16746: In multiple methods, there is a possible out of bounds read due to a missing bounds check during initial processing of a beacon packet
In multiple methods, there is a possible out of bounds read due to a missing bounds check during initial processing of a beacon packet. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
osv·2019-12-03·CVSS 9.8
CVE-2019-16746 [CRITICAL] linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel
did not properly validate SSID lengths. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-17133)
It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
a
OSV
linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
osv·2019-12-02·CVSS 6.7
CVE-2019-15794 [MEDIUM] linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
It was discovered that there was a memory le
OSV
linux, linux-aws, linux-kvm vulnerabilities
osv·2019-11-13·CVSS 6.5
[MEDIUM] linux, linux-aws, linux-kvm vulnerabilities
linux, linux-aws, linux-kvm vulnerabilities
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Streamer and expose kernel memory information. A local attacker could use
this to expose sensitive i
OSV
linux vulnerability
osv·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] linux vulnerability
linux vulnerability
USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered
that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command
Streamer check) was incomplete on 64-bit Intel x86 systems. This
update addresses the issue.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive inf
OSV
CVE-2019-16746: An issue was discovered in net/wireless/nl80211
osv·2019-09-24·CVSS 9.8
CVE-2019-16746 [CRITICAL] CVE-2019-16746: An issue was discovered in net/wireless/nl80211
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
Android
CVE-2019-16746: Linux Wireless Subsystem
vendor_android·2020-08-01·CVSS 9.8
CVE-2019-16746 [CRITICAL] CVE-2019-16746: Linux Wireless Subsystem
Android Security Bulletin 2020-08-01
CVE: CVE-2019-16746
Severity: HIGH
Type: ID
Component: Linux Wireless Subsystem
References: A-145728612
Upstream kernel
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-12-03·CVSS 9.8
CVE-2019-16746 [CRITICAL] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel
did not properly validate SSID lengths. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-17133)
It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-12-02·CVSS 7.1
CVE-2019-15794 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
It was discovered that there was a memory leak in the Advanced Buffer
Management functionality of th
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2018-12207 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Streamer and expose kernel memory informat
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2018-12207 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Streamer and expose kernel memory informat
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: Several security issues were fixed in the Linux kernel.
USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered
that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command
Streamer check) was incomplete on 64-bit Intel x86 systems. This
update addresses the issue.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executi
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: Several security issues were fixed in the Linux kernel.
USN-4183-1 fixed vulnerabilities in the Linux kernel. It was
discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter
Command Streamer check) was incomplete on 64-bit Intel x86 systems.
This update addresses the issue.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executi
Red Hat
kernel: buffer-overflow hardening in WiFi beacon validation code.
vendor_redhat·2019-09-11·CVSS 9.8
CVE-2019-16746 [CRITICAL] CWE-120 kernel: buffer-overflow hardening in WiFi beacon validation code.
kernel: buffer-overflow hardening in WiFi beacon validation code.
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
A flaw in the Linux kernel's WiFi beacon validation code was discovered. The code does not check the length of the variable length elements in the beacon head potentially leading to a buffer overflow. System availability, as well as data confidentiality and integrity, can be impacted by this vulnerability.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Will not fix
Package: kernel-alt (Red Hat Enterprise Linux 7) - Will not fix
Package: kernel-rt (Red Hat Enterprise Linux 8) - Af
Debian
CVE-2019-16746: linux - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5....
vendor_debian·2019·CVSS 9.8
CVE-2019-16746 [CRITICAL] CVE-2019-16746: linux - An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5....
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
Scope: local
bookworm: resolved (fixed in 5.3.7-1)
bullseye: resolved (fixed in 5.3.7-1)
forky: resolved (fixed in 5.3.7-1)
sid: resolved (fixed in 5.3.7-1)
trixie: resolved (fixed in 5.3.7-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-16746 kernel: buffer-overflow in net/wireless/nl80211.c [fedora-all]
bugzilla·2019-10-10·CVSS 9.8
CVE-2019-16746 [CRITICAL] CVE-2019-16746 kernel: buffer-overflow in net/wireless/nl80211.c [fedora-all]
CVE-2019-16746 kernel: buffer-overflow in net/wireless/nl80211.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2019-16746 kernel: buffer-overflow hardening in WiFi beacon validation code.
bugzilla·2019-10-10·CVSS 9.8
CVE-2019-16746 [CRITICAL] CVE-2019-16746 kernel: buffer-overflow hardening in WiFi beacon validation code.
CVE-2019-16746 kernel: buffer-overflow hardening in WiFi beacon validation code.
An issue was discovered in the Linux kernels wifi beacon validation code. The parser does not check the length of variable length elements in the beacon head. This could lead to a buffer overflow in code that relies on these values being within the specification.
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f88eb7c0d002a67ef31aeb7850b42ff69abc46dc
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1760307]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
---
This issue has been addressed in the following products:
Red Ha
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.htmlhttp://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.htmlhttps://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2020/03/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TASE2ESEZAER6DTZH3DJ4K2JNO46TVL7/https://marc.info/?l=linux-wireless&m=156901391225058&w=2https://seclists.org/bugtraq/2019/Nov/11https://security.netapp.com/advisory/ntap-20191031-0005/https://usn.ubuntu.com/4183-1/https://usn.ubuntu.com/4186-1/https://usn.ubuntu.com/4209-1/https://usn.ubuntu.com/4210-1/https://www.oracle.com/security-alerts/cpuApr2021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.htmlhttp://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.htmlhttps://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlhttps://lists.debian.org/debian-lts-announce/2020/03/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TASE2ESEZAER6DTZH3DJ4K2JNO46TVL7/https://marc.info/?l=linux-wireless&m=156901391225058&w=2https://seclists.org/bugtraq/2019/Nov/11https://security.netapp.com/advisory/ntap-20191031-0005/https://usn.ubuntu.com/4183-1/https://usn.ubuntu.com/4186-1/https://usn.ubuntu.com/4209-1/https://usn.ubuntu.com/4210-1/https://www.oracle.com/security-alerts/cpuApr2021.html
2019-09-24
Published