CVE-2019-14284: In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls ca...

Description

In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.

Metrics

EPSS Probability

0.70%

48.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-369

Affected Software

Vendor	Product	Versions
Linux	Linux Kernel	< 5.2.3

References

Timeline

Published: Jul 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-14284?

In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.

How severe is CVE-2019-14284?

Severity scoring for CVE-2019-14284 is pending analysis. The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.

How do I fix CVE-2019-14284?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.