Vulnerability Description
In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | <= 5.0.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/107527Third Party AdvisoryVDB Entry
- https://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git/commit/?h=fsnoPatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://patchwork.kernel.org/patch/10836283/PatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20190404-0002/
- http://www.securityfocus.com/bid/107527Third Party AdvisoryVDB Entry
- https://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git/commit/?h=fsnoPatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://patchwork.kernel.org/patch/10836283/PatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20190404-0002/
FAQ
What is CVE-2019-9857?
CVE-2019-9857 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(),...
How severe is CVE-2019-9857?
CVE-2019-9857 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9857?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.