CVE-2019-11599: Race Condition
First published: Fri Apr 19 2019(Updated: )
A flaw was found in the Linux kernel where the coredump implementation does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs. This allows local users to obtain sensitive information, cause a denial of service (DoS), or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1062.rt56.1022.el7 | 0:3.10.0-1062.rt56.1022.el7 |
| redhat/kernel | <0:3.10.0-1062.el7 | 0:3.10.0-1062.el7 |
| redhat/kernel | <0:3.10.0-693.62.1.el7 | 0:3.10.0-693.62.1.el7 |
| redhat/kernel | <0:3.10.0-862.48.1.el7 | 0:3.10.0-862.48.1.el7 |
| redhat/kernel | <0:3.10.0-957.43.1.el7 | 0:3.10.0-957.43.1.el7 |
| redhat/kernel-rt | <0:4.18.0-147.rt24.93.el8 | 0:4.18.0-147.rt24.93.el8 |
| redhat/kernel | <0:4.18.0-147.el8 | 0:4.18.0-147.el8 |
| redhat/kernel-rt | <1:3.10.0-693.62.1.rt56.659.el6 | 1:3.10.0-693.62.1.rt56.659.el6 |
| redhat/kernel | <5.0.10 | 5.0.10 |
| Android | ||
| Linux Kernel | >=2.16.12<3.16.66 | |
| Linux Kernel | >=3.17<4.4.183 | |
| Linux Kernel | >=4.5<4.9.188 | |
| Linux Kernel | >=4.10<4.14.114 | |
| Linux Kernel | >=4.15<4.19.37 | |
| Linux Kernel | >=4.20<5.0.10 | |
| Linux Kernel | <5.0.10 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.133-1 6.12.21-1 6.12.22-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11599 https://nvd.nist.gov/vuln/detail/CVE-2019-11599
- https://bugzilla.redhat.com/show_bug.cgi?id=1705937
- https://access.redhat.com/errata/RHSA-2019:2043
- https://access.redhat.com/errata/RHSA-2019:2029
- https://access.redhat.com/errata/RHSA-2020:0103
- https://access.redhat.com/errata/RHSA-2020:0543
- https://access.redhat.com/errata/RHSA-2020:0179
- https://access.redhat.com/errata/RHSA-2019:3309
- https://access.redhat.com/errata/RHSA-2019:3517
- https://access.redhat.com/errata/RHSA-2020:0100
- https://access.redhat.com/security/cve/CVE-2019-11599
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
- http://packetstormsecurity.com/files/152663/Linux-Missing-Lockdown.html
- http://packetstormsecurity.com/files/153702/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
- http://www.openwall.com/lists/oss-security/2019/04/29/1
- http://www.openwall.com/lists/oss-security/2019/04/29/2
- http://www.openwall.com/lists/oss-security/2019/04/30/1
- http://www.securityfocus.com/bid/108113
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1790
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04f5866e41fb70690e28397487d8bd8eea7d712a
- https://github.com/torvalds/linux/commit/04f5866e41fb70690e28397487d8bd8eea7d712a
- https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html
- https://seclists.org/bugtraq/2019/Jul/33
- https://seclists.org/bugtraq/2019/Jun/26
- https://security.netapp.com/advisory/ntap-20190517-0002/
- https://security.netapp.com/advisory/ntap-20200608-0001/
- https://support.f5.com/csp/article/K51674118
- https://support.f5.com/csp/article/K51674118?utm_source=f5support&utm_medium=RSS
- https://usn.ubuntu.com/4069-1/
- https://usn.ubuntu.com/4069-2/
- https://usn.ubuntu.com/4095-1/
- https://usn.ubuntu.com/4115-1/
- https://usn.ubuntu.com/4118-1/
- https://www.debian.org/security/2019/dsa-4465
- https://www.exploit-db.com/exploits/46781/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://support.f5.com/csp/article/K51674118?utm_source=f5support&amp;utm_medium=RSS
- https://launchpad.net/bugs/cve/CVE-2019-11599
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1705938
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1696015
- https://access.redhat.com/security/cve/cve-2019-11599
- https://support.f5.com/csp/article/K51674118?utm_source=f5support&%3Butm_medium=RSS
- https://android.googlesource.com/kernel/common/+/04f5866e41fb70690e28397487d8bd8eea7d712a
- https://android.googlesource.com/kernel/common/+/3378ce511d7a792ddf0d69d11ce5e284309893fd
- https://source.android.com/docs/security/bulletin/2020-02-01 (Advisory)
- https://marc.info/?l=linux-mm&m=155355419911404&w=2
- https://security-tracker.debian.org/tracker/CVE-2019-11599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599
- https://nvd.nist.gov/vuln/detail/CVE-2019-11599
- https://ubuntu.com/security/CVE-2019-11599
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-11599?
CVE-2019-11599 has been assigned a severity rating of medium due to its potential to allow local users to cause a denial of service or obtain sensitive information.
How do I fix CVE-2019-11599?
To fix CVE-2019-11599, update to the appropriate kernel version that includes the security patch for this vulnerability.
What systems are affected by CVE-2019-11599?
CVE-2019-11599 affects various versions of the Linux kernel, particularly those prior to the patched versions listed by Red Hat.
Can CVE-2019-11599 lead to data breaches?
Yes, CVE-2019-11599 can potentially allow local users to obtain sensitive information, which could lead to data breaches.
Is CVE-2019-11599 specific to certain Linux distributions?
CVE-2019-11599 primarily affects Red Hat and Debian distributions but may also impact other Linux distributions using the vulnerable kernel versions.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11599
- agent/software-canonical-lookup
- agent/weakness
- agent/author
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/trending
- agent/source
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/android-source
- source/Android
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/nvd-index
- package-manager/redhat
- vendor/google
- canonical/android
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.16.12
- version/linux kernel/3.17
- version/linux kernel/4.5
- version/linux kernel/4.10
- version/linux kernel/4.15
- version/linux kernel/4.20