Vulnerability Details : CVE-2019-12456
An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a "double fetch" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used
Vulnerability category: Denial of service
Products affected by CVE-2019-12456
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12456
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12456
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
References for CVE-2019-12456
-
https://support.f5.com/csp/article/K84310302?utm_source=f5support&%3Butm_medium=RSS
Linux kernel vulnerability CVE-2019-12456
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html
[security-announce] openSUSE-SU-2019:1570-1: important: Security update
-
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=5.3/scsi-queue&id=86e5aca7fa2927060839f3e3b40c8bd65a7e8d1e
kernel/git/mkp/scsi.git - SCSIPatch;Vendor Advisory
-
https://lkml.org/lkml/2019/5/29/1164
LKML: "Martin K. Petersen": Re: [PATCH] mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()Mailing List;Third Party Advisory
-
https://support.f5.com/csp/article/K84310302?utm_source=f5support&utm_medium=RSS
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDURACJVGIBIYBSGDZJTRDPX46H5WPZW/
[SECURITY] Fedora 30 Update: kernel-headers-5.1.8-300.fc30 - package-announce - Fedora Mailing-Lists
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00040.html
[security-announce] openSUSE-SU-2019:1571-1: important: Security update
-
https://support.f5.com/csp/article/K84310302
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html
[security-announce] openSUSE-SU-2019:1579-1: important: Security update
-
https://bugzilla.redhat.com/show_bug.cgi?id=1717182
1717182 – (CVE-2019-12456) CVE-2019-12456 kernel: double fetch in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDURACJVGIBIYBSGDZJTRDPX46H5WPZW/
[SECURITY] Fedora 30 Update: kernel-headers-5.1.8-300.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBJHGQXA4PQ5EOGCOXEH3KFDNVZ2I4X7/
[SECURITY] Fedora 29 Update: kernel-headers-5.1.8-200.fc29 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBJHGQXA4PQ5EOGCOXEH3KFDNVZ2I4X7/
[SECURITY] Fedora 29 Update: kernel-headers-5.1.8-200.fc29 - package-announce - Fedora Mailing-Lists
Jump to