CVE-2019-20794Missing Release of Resource after Effective Lifetime in Kernel

CWE-772Missing Release of Resource after Effective LifetimeCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
4.7MEDIUMNVD
EPSS
0.1%
top 74.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Linux KernelDebian LinuxMsrc CBL Mariner 1.0 ARM+2 more
Timeline
PublishedMay 9
Latest updateMay 24

Description

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages5 packages

NVDlinux/linux_kernel4.185.6.11
debiandebian/linux

🔴Vulnerability Details

2
GHSA
GHSA-j4w8-rj66-g2q9: An issue was discovered in the Linux kernel 42022-05-24
OSV
CVE-2019-20794: An issue was discovered in the Linux kernel 42020-05-09

📋Vendor Advisories

3
Microsoft
An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace and mount a FUSE filesystem. Upon interaction w2020-05-12
Red Hat
kernel: task processes not being properly ended could lead to resource exhaustion2020-05-09
Debian
CVE-2019-20794: linux - An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivilege...2019

💬Community

2
Bugzilla
CVE-2019-20794 kernel: task processes not being properly ended could lead to resource exhaustion2020-06-19
Bugzilla
CVE-2019-20794 kernel: task processes not being properly ended could lead to resource exhaustion [fedora-all]2020-06-19