CVE-2019-11833
MEDIUMCVSS 5.5/10EPSS 0.65%
Last modified
CVE-2019-11833 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.. EPSS estimates a 0.65% chance of exploitation in the next 30 days.
Description
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | <= 5.1.2 |
| Fedoraproject | Fedora | 29 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 19.04 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Eus | 8.1 |
| Redhat | Enterprise Linux Eus | 8.2 |
| Redhat | Enterprise Linux Eus | 8.4 |
| Redhat | Enterprise Linux Eus | 8.6 |
| Redhat | Enterprise Linux For Real Time | 7 |
| Redhat | Enterprise Linux For Real Time | 8.0 |
| Redhat | Enterprise Linux For Real Time For Nfv | 7 |
| Redhat | Enterprise Linux For Real Time For Nfv | 8.0 |
| Redhat | Enterprise Linux For Real Time For Nfv Tus | 8.2 |
| Redhat | Enterprise Linux For Real Time For Nfv Tus | 8.4 |
| Redhat | Enterprise Linux For Real Time For Nfv Tus | 8.6 |
| Redhat | Enterprise Linux For Real Time Tus | 8.2 |
| Redhat | Enterprise Linux For Real Time Tus | 8.4 |
| Redhat | Enterprise Linux For Real Time Tus | 8.6 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Aus | 8.2 |
| Redhat | Enterprise Linux Server Aus | 8.4 |
| Redhat | Enterprise Linux Server Aus | 8.6 |
| Redhat | Enterprise Linux Server Tus | 8.2 |
| Redhat | Enterprise Linux Server Tus | 8.4 |
| Redhat | Enterprise Linux Server Tus | 8.6 |
| Redhat | Enterprise Linux Workstation | 7.0 |
References
- http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.htmlThird Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/108372Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:2029Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2043Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3309Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3517Third Party Advisory
- https://github.com/torvalds/linux/commit/592acbf16821288ecdc4192c47e3774a4c48bb64Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/06/msg00010.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/06/msg00011.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Jun/26Mailing List, Third Party Advisory
- https://usn.ubuntu.com/4068-1/Third Party Advisory
- https://usn.ubuntu.com/4068-2/Third Party Advisory
- https://usn.ubuntu.com/4069-1/Third Party Advisory
- https://usn.ubuntu.com/4069-2/Third Party Advisory
- https://usn.ubuntu.com/4076-1/Third Party Advisory
- https://usn.ubuntu.com/4095-2/Third Party Advisory
- https://usn.ubuntu.com/4118-1/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4465Third Party Advisory
- http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.htmlThird Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/108372Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:2029Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2043Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3309Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3517Third Party Advisory
- https://github.com/torvalds/linux/commit/592acbf16821288ecdc4192c47e3774a4c48bb64Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/06/msg00010.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/06/msg00011.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Jun/26Mailing List, Third Party Advisory
- https://usn.ubuntu.com/4068-1/Third Party Advisory
- https://usn.ubuntu.com/4068-2/Third Party Advisory
- https://usn.ubuntu.com/4069-1/Third Party Advisory
- https://usn.ubuntu.com/4069-2/Third Party Advisory
- https://usn.ubuntu.com/4076-1/Third Party Advisory
- https://usn.ubuntu.com/4095-2/Third Party Advisory
- https://usn.ubuntu.com/4118-1/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4465Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-11833?
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.
How severe is CVE-2019-11833?
CVE-2019-11833 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.65% probability of exploitation in the next 30 days.
How do I fix CVE-2019-11833?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-11833?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST