DEBIAN-CVE-2019-19922

Advisory lineage Upstream: 1 Downstream: 1

Upstream

CVE-2019-19922

Downstream

DLA-2068-1

Published: 22 Dec 2019, 20:15

Last modified:28 Apr 2026, 20:20

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Dec 2019, 20:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:20

Last Modified

Vulnerability information updated

Description

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Systems

debian•linux
< 5.3.9-1 | < 5.3.9-1 | < 5.3.9-1 | < 5.3.9-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2019-19922