CVE-2019-19922

CWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
5.5MEDIUM
EPSS
0.1%
top 71.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Linux Linux KernelNetapp E-series Santricity OS ControllerCanonical Ubuntu Linux+4 more
Timeline
PublishedDec 22
Latest updateMay 24

Description

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

NVDlinux/linux_kernel< 5.3.9
Debianlinux< 5.3.9-1+3

Also affects: Debian Linux 8.0, Ubuntu Linux 18.04, 19.04

Patches

Patch: cdn.kernel.orgPatch: git.kernel.orgPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-q3fc-6x2v-6ph8: kernel/sched/fair2022-05-24
OSV
CVE-2019-19922: kernel/sched/fair2019-12-22
CVEList
CVE-2019-19922: kernel/sched/fair2019-12-22

📋Vendor Advisories

3
Ubuntu
Linux kernel vulnerabilities2020-01-07
Red Hat
kernel: when cpu.cfs_quota_us is used allows attackers to cause a denial of service against non-cpu-bound applications2019-12-22
Debian
CVE-2019-19922: linux - kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is u...2019

💬Community

2
Bugzilla
CVE-2019-19922 kernel: when cpu.cfs_quota_us is used allows attackers to cause a denial of service against non-cpu-bound applications2020-01-17
Bugzilla
CVE-2019-19922 kernel: when cpu.cfs_quota_us is used allows attackers to cause a denial of service against non-cpu-bound applications [fedora-all]2020-01-17