CVE-2019-16746

Description

An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 2.60%• Percentile: 86%

Techniques & Countermeasures

• CWE-120•Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Affected Systems

• canonical•ubuntu_linux

  16.04 | 18.04 | 19.04 | 19.10

• debian•debian_linux

  8.0

• fedoraproject•fedora

  30

• linux•linux_kernel

  ≥ 2.6.25, < 3.16.79 | ≥ 3.17, < 4.4.197 | ≥ 4.5, < 4.9.197 | ≥ 4.10, < 4.14.149 | ≥ 4.15, < 4.19.79 | ≥ 4.20, < 5.3.6

• opensuse•leap

  15.1

References (14)

• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TASE2ESEZAER6DTZH3DJ4K2JNO46TVL7/
• https://seclists.org/bugtraq/2019/Nov/11
• https://usn.ubuntu.com/4183-1/
• https://usn.ubuntu.com/4186-1/
• https://usn.ubuntu.com/4209-1/
• https://usn.ubuntu.com/4210-1/
• https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html
• http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
• https://marc.info/?l=linux-wireless&m=156901391225058&w=2
• https://security.netapp.com/advisory/ntap-20191031-0005/