CVE-2019-7308 — Sensitive Information Exposure in Kernel

CWE-189 CWE-200 — Sensitive Information Exposure14 documents7 sources

Severity

5.6MEDIUMNVD

OSV7.8

EPSS

0.0%

top 90.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 1

Latest updateMay 13

Description

kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages5 packages

▶NVDlinux/linux_kernel4.20.0 — 4.20.6+1

▶Debianlinux/linux_kernel< 4.19.20-1+3

▶Ubuntulinux/linux_kernel< 4.15.0-47.50

▶debiandebian/linux< linux 4.19.20-1 (bookworm)

▶NVDopensuse/leap15.0

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: bugs.chromium.org ↗

🔴Vulnerability Details

GHSA

GHSA-vww8-62hf-x3fx: kernel/bpf/verifier↗2022-05-13

▶

OSV

linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities↗2019-04-02

▶

OSV

linux-hwe, linux-azure vulnerabilities↗2019-04-02

▶

OSV

linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities↗2019-04-02

▶

OSV

CVE-2019-7308: kernel/bpf/verifier↗2019-02-01

▶

📋Vendor Advisories

Ubuntu

Linux kernel (HWE) vulnerabilities↗2019-04-02

▶

Ubuntu

Linux kernel (HWE) vulnerabilities↗2019-04-02

▶

Ubuntu

Linux kernel vulnerabilities↗2019-04-02

▶

Ubuntu

Linux kernel vulnerabilities↗2019-04-02

▶

Red Hat

kernel: eBPF: Spectre v1 mitigation bypass↗2019-01-03

▶

💬Community

Bugzilla

CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass↗2019-02-04

▶

Bugzilla

CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass [fedora-all]↗2019-02-04

▶