CVE-2019-9857 Information

Feb 14, 2021 cve

Description

In the Linux kernel through 5.0.2 the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark() which will cause a memory leak (aka refcount leak). Finally this will cause a denial of service.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

http://www.securityfocus.com/bid/107527 https://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git/commit/?h=fsnotify&id=62c9d2674b31d4c8a674bee86b7edc6da2803aea https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXLZ2V2ES37A3J7DMK4MZYIWV2LEZFLM/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPH3B7FJOMWD5JWUPZKB6T44KNT4PX2L/ https://patchwork.kernel.org/patch/10836283/ https://security.netapp.com/advisory/ntap-20190404-0002/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5

Share on: