CVE-2019-10639

The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.1 ≤
𝑥
≤ 4.20.9
linuxlinux_kernel
5.0 ≤
𝑥
< 5.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
sid
6.11.6-1
fixed
trixie
6.11.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
bionic
Fixed 4.15.0-60.67
released
cosmic
ignored
disco
Fixed 5.0.0-16.17
released
eoan
not-affected
trusty
ignored
xenial
Fixed 4.4.0-150.176
released
linux-aws
bionic
Fixed 4.15.0-1047.49
released
cosmic
ignored
disco
Fixed 5.0.0-1007.7
released
eoan
not-affected
trusty
ignored
xenial
Fixed 4.4.0-1084.94
released
linux-aws-5.0
bionic
not-affected
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-aws-hwe
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
Fixed 4.15.0-1047.49~16.04.1
released
linux-azure
bionic
Fixed 5.0.0-1014.14~18.04.1
released
cosmic
ignored
disco
Fixed 5.0.0-1008.8
released
eoan
not-affected
trusty
ignored
xenial
Fixed 4.15.0-1056.61
released
linux-azure-5.3
bionic
not-affected
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-azure-edge
bionic
Fixed 5.0.0-1014.14~18.04.1
released
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
Fixed 4.15.0-1056.61
released
linux-euclid
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
ignored
linux-flo
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
ignored
linux-gcp
bionic
Fixed 4.15.0-1042.45
released
cosmic
ignored
disco
Fixed 5.0.0-1007.7
released
eoan
not-affected
trusty
dne
xenial
Fixed 4.15.0-1041.43
released
linux-gcp-5.3
bionic
not-affected
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-gcp-edge
bionic
Fixed 4.15.0-1042.45
released
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-gke
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
ignored
linux-gke-4.15
bionic
Fixed 4.15.0-1041.43
released
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-gke-5.0
bionic
not-affected
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-goldfish
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
ignored
linux-grouper
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-hwe
bionic
Fixed 5.0.0-23.24~18.04.1
released
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
Fixed 4.15.0-60.67~16.04.1
released
linux-hwe-edge
bionic
Fixed 5.0.0-16.17~18.04.1
released
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
Fixed 4.15.0-60.67~16.04.1
released
linux-kvm
bionic
Fixed 4.15.0-1043.43
released
cosmic
ignored
disco
Fixed 5.0.0-1007.7
released
eoan
not-affected
trusty
dne
xenial
Fixed 4.4.0-1047.53
released
linux-lts-trusty
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-lts-utopic
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-lts-vivid
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-lts-wily
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-lts-xenial
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
ignored
xenial
dne
linux-maguro
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-mako
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
ignored
linux-manta
bionic
dne
cosmic
dne
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-oem
bionic
Fixed 4.15.0-1056.65
released
cosmic
ignored
disco
ignored
eoan
Fixed 4.15.0-1059.68
released
trusty
dne
xenial
ignored
linux-oem-5.4
bionic
dne
eoan
dne
trusty
dne
xenial
dne
linux-oem-osp1
bionic
not-affected
disco
not-affected
eoan
not-affected
trusty
dne
xenial
dne
linux-oracle
bionic
Fixed 4.15.0-1022.25
released
cosmic
ignored
disco
Fixed 5.0.0-1004.8
released
eoan
not-affected
trusty
dne
xenial
Fixed 4.15.0-1022.25~16.04.1
released
linux-oracle-5.0
bionic
not-affected
disco
dne
eoan
dne
trusty
dne
xenial
dne
linux-raspi2
bionic
Fixed 4.15.0-1044.47
released
cosmic
ignored
disco
Fixed 5.0.0-1009.9
released
eoan
not-affected
trusty
dne
xenial
Fixed 4.4.0-1110.118
released
linux-raspi2-5.3
bionic
not-affected
eoan
dne
trusty
dne
xenial
dne
linux-snapdragon
bionic
Fixed 4.15.0-1062.69
released
cosmic
dne
disco
Fixed 5.0.0-1013.13
released
eoan
dne
trusty
dne
xenial
Fixed 4.4.0-1114.119
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-azure
suse enterprise sap 12 SP4
4.12.14-6.18.1
fixed
suse enterprise sap 15
4.12.14-5.33.1
fixed
suse enterprise sap 15 SP1
4.12.14-8.13.1
fixed
suse enterprise server 12 SP4
4.12.14-6.18.1
fixed
suse enterprise server 15
4.12.14-5.33.1
fixed
suse enterprise server 15 SP1
4.12.14-8.13.1
fixed
kernel-azure-base
suse enterprise sap 12 SP4
4.12.14-6.18.1
fixed
suse enterprise sap 15
4.12.14-5.33.1
fixed
suse enterprise sap 15 SP1
4.12.14-8.13.1
fixed
suse enterprise sap 15 SP2
4.12.14-8.13.1
fixed
suse enterprise sap 15 SP3
4.12.14-8.13.1
fixed
suse enterprise server 12 SP4
4.12.14-6.18.1
fixed
suse enterprise server 15
4.12.14-5.33.1
fixed
suse enterprise server 15 SP1
4.12.14-8.13.1
fixed
suse enterprise server 15 SP2
4.12.14-8.13.1
fixed
suse enterprise server 15 SP3
4.12.14-8.13.1
fixed
kernel-default
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-default-base
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-default-man
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-docs
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-macros
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-obs-build
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-source
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-source-azure
suse enterprise sap 12 SP4
4.12.14-6.18.1
fixed
suse enterprise sap 15
4.12.14-5.33.1
fixed
suse enterprise sap 15 SP1
4.12.14-8.13.1
fixed
suse enterprise sap 15 SP2
4.12.14-5.33.1
fixed
suse enterprise sap 15 SP3
4.12.14-5.33.1
fixed
suse enterprise server 12 SP4
4.12.14-6.18.1
fixed
suse enterprise server 15
4.12.14-5.33.1
fixed
suse enterprise server 15 SP1
4.12.14-8.13.1
fixed
suse enterprise server 15 SP2
4.12.14-5.33.1
fixed
suse enterprise server 15 SP3
4.12.14-5.33.1
fixed
kernel-syms
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 12 SP4
4.12.14-95.24.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 12 SP2
4.4.121-92.117.1
fixed
suse enterprise server 12 SP3
4.4.180-94.100.1
fixed
suse enterprise server 12 SP4
4.12.14-95.24.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kernel-syms-azure
suse enterprise sap 12 SP4
4.12.14-6.18.1
fixed
suse enterprise sap 15
4.12.14-5.33.1
fixed
suse enterprise sap 15 SP1
4.12.14-8.13.1
fixed
suse enterprise server 12 SP4
4.12.14-6.18.1
fixed
suse enterprise server 15
4.12.14-5.33.1
fixed
suse enterprise server 15 SP1
4.12.14-8.13.1
fixed
kernel-vanilla-base
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
kernel-zfcpdump
suse enterprise desktop 15
4.12.14-150.27.1
fixed
suse enterprise desktop 15 SP1
4.12.14-197.10.1
fixed
suse enterprise sap 15
4.12.14-150.27.1
fixed
suse enterprise sap 15 SP1
4.12.14-197.10.1
fixed
suse enterprise server 15
4.12.14-150.27.1
fixed
suse enterprise server 15 SP1
4.12.14-197.10.1
fixed
kgraft-patch-4_4_121-92_117-default-1
suse enterprise server 12 SP2
3.3.1
fixed
kgraft-patch-4_4_180-94_100-default-1
suse enterprise server 12 SP3
4.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-abi-whitelists
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-bootwrapper
RHEL 7
0:3.10.0-1127.el7
fixed
kernel-core
RHEL 8
0:4.18.0-193.el8
fixed
kernel-debug
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-debug-core
RHEL 8
0:4.18.0-193.el8
fixed
kernel-debug-devel
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-193.el8
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-193.el8
fixed
kernel-devel
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-doc
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-kdump
RHEL 7
0:3.10.0-1127.el7
fixed
kernel-kdump-devel
RHEL 7
0:3.10.0-1127.el7
fixed
kernel-modules
RHEL 8
0:4.18.0-193.el8
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-193.el8
fixed
kernel-rt
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-core
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug-core
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug-devel
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug-kvm
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug-modules
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-debug-modules-extra
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-devel
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-doc
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
kernel-rt-kvm
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-modules
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-modules-extra
RHEL 8
0:4.18.0-193.rt13.51.el8
fixed
kernel-rt-trace
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
kernel-rt-trace-devel
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
kernel-rt-trace-kvm
RHEL 7
0:3.10.0-1127.rt56.1093.el7
fixed
kernel-tools
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-tools-libs
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-tools-libs-devel
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-193.el8
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-193.el8
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-193.el8
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-193.el8
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-193.el8
fixed
perf
RHEL 7
0:3.10.0-1127.el7
fixed
RHEL 8
0:4.18.0-193.el8
fixed
python-perf
RHEL 7
0:3.10.0-1127.el7
fixed
python3-perf
RHEL 8
0:4.18.0-193.el8
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
https://arxiv.org/pdf/1906.10478.pdf
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html
https://seclists.org/bugtraq/2019/Aug/18
https://security.netapp.com/advisory/ntap-20190806-0001/
https://support.f5.com/csp/article/K32804955
https://support.f5.com/csp/article/K32804955?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://www.debian.org/security/2019/dsa-4497
https://www.oracle.com/security-alerts/cpuApr2021.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html
https://arxiv.org/pdf/1906.10478.pdf
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.8
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=355b98553789b646ed97ad801a619ff898471b92
https://github.com/torvalds/linux/commit/355b98553789b646ed97ad801a619ff898471b92
https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00017.html
https://seclists.org/bugtraq/2019/Aug/18
https://security.netapp.com/advisory/ntap-20190806-0001/
https://support.f5.com/csp/article/K32804955
https://support.f5.com/csp/article/K32804955?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://www.debian.org/security/2019/dsa-4497
https://www.oracle.com/security-alerts/cpuApr2021.html