CVE-2019-3016

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2019-3016 DSA-4699-1 LSN-0065-1 MGASA-2020-0073 MGASA-2020-0089 OPENSUSE-SU-2024:10728-1

Modified

Published: 31 Jan 2020, 19:50

Last modified:30 Sept 2024, 15:47

Vulnerability Summary

Overall Risk (default)

medium

25/100

CVSS Score

6.2 MEDIUM

v3.1 (cve.org)

EPSS Score

0.06% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

31 Jan 2020, 19:50

Published

Vulnerability first disclosed

30 Sept 2024, 15:47

Last Modified

Vulnerability information updated

Description

In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.

CVSS Metrics

v3.1•MEDIUM•Score: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
v2.0•LOW•Score: 1.9AV:L/AC:M/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.06%• Percentile: 19%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

linux•linux_kernel
≥ 4.16 | 4.10 | 4.10 to 5.6