CVE-2019-18683
Summary
| CVE | CVE-2019-18683 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-11-04 16:15:00 UTC |
| Updated | 2023-11-07 03:06:00 UTC |
| Description | An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free. |
Risk And Classification
Problem Types: CWE-362 | CWE-416
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Broadcom | Fabric Operating System | - | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.10 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Linux | Linux Kernel | All | All | All | All |
| Hardware | Netapp | 8300 | - | All | All | All |
| Operating System | Netapp | 8300 Firmware | - | All | All | All |
| Hardware | Netapp | 8700 | - | All | All | All |
| Operating System | Netapp | 8700 Firmware | - | All | All | All |
| Hardware | Netapp | A400 | - | All | All | All |
| Operating System | Netapp | A400 Firmware | - | All | All | All |
| Hardware | Netapp | A700s | - | All | All | All |
| Operating System | Netapp | A700s Firmware | - | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Netapp | Data Availability Services | - | All | All | All |
| Application | Netapp | E-series Santricity Os Controller | All | All | All | All |
| Application | Netapp | Element Software | - | All | All | All |
| Hardware | Netapp | H610s | - | All | All | All |
| Operating System | Netapp | H610s Firmware | - | All | All | All |
| Application | Netapp | Hci Management Node | - | All | All | All |
| Application | Netapp | Solidfire | - | All | All | All |
| Application | Netapp | Steelstore Cloud Integrated Storage | - | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - Re: [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid | MLIST | www.openwall.com | Exploit, Third Party Advisory |
| November 2019 Linux Kernel Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Bugtraq: [slackware-security] Slackware 14.2 kernel (SSA:2020-008-01) | BUGTRAQ | seclists.org | |
| [PATCH v4 1/1] media: vivid: Fix wrong locking that causes race conditions on streaming stop - Alexander Popov | MISC | lore.kernel.org | Patch, Vendor Advisory |
| USN-4284-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| [SECURITY] [DLA 2114-1] linux-4.9 security update | MLIST | lists.debian.org | |
| USN-4287-2: Linux kernel (Azure) vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| USN-4258-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| USN-4254-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| [security-announce] openSUSE-SU-2019:2675-1: important: Security update | SUSE | lists.opensuse.org | |
| USN-4254-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| Slackware Security Advisory - Slackware 14.2 kernel Updates ≈ Packet Storm | MISC | packetstormsecurity.com | |
| USN-4287-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| oss-security - [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid | MISC | www.openwall.com | Exploit, Mailing List, Third Party Advisory |
| [PATCH v4 1/1] media: vivid: Fix wrong locking that causes race conditions on streaming stop - Alexander Popov | lore.kernel.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.