CVE-2019-14895

Advisory lineage Upstream: 0 Downstream: 47
Modified
Published: 29 Nov 2019, 13:50
Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
0.7% LOW
1% probability -0.13%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 Nov 2019, 13:50
Published
Vulnerability first disclosed
05 Aug 2024, 00:26
Last Modified
Vulnerability information updated

Description

A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 8CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.70% Percentile: 72%

Techniques & Countermeasures

  • CWE-787Out-of-bounds Write

    The product writes data past the end, or before the beginning, of the intended buffer.

  • CWE-122Heap-based Buffer Overflow

    A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Affected Systems

  • canonicalubuntu_linux

    14.04 | 16.04 | 18.04 | 19.04 | 19.10

  • debiandebian_linux

    8.0

  • fedoraprojectfedora

    30 | 31

  • linuxlinux_kernel

    ≥ 3.7, < 3.16.81 | ≥ 3.17, < 4.4.210 | ≥ 4.5, < 4.9.210 | ≥ 4.10, < 4.14.165 | ≥ 4.15, < 4.19.96 | ≥ 4.20, < 5.4.12

  • opensuseleap

    15.1

  • red hatkernel

    all kernel versions 3.x.x and 4.x.x before 4.18.0

References (26)