CVE-2019-19768

Description

In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).

References

Link	Tags
https://bugzilla.kernel.org/show_bug.cgi?id=205711	issue tracking vendor advisory
https://security.netapp.com/advisory/ntap-20200103-0001/
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00039.html	vendor advisory
https://usn.ubuntu.com/4344-1/	vendor advisory
https://usn.ubuntu.com/4345-1/	vendor advisory
https://usn.ubuntu.com/4342-1/	vendor advisory
https://usn.ubuntu.com/4346-1/	vendor advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html	mailing list
https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html	mailing list
https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html	mailing list
https://www.debian.org/security/2020/dsa-4698	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-19768?: CVE-2019-19768 has been scored as a high severity vulnerability.
How to fix CVE-2019-19768?: To fix CVE-2019-19768, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-19768 being actively exploited in the wild?: It is possible that CVE-2019-19768 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-416 – Use After Free

References

Frequently Asked Questions