CVE-2019-17351 : An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.

An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.

Published 2019-10-08 00:15:11

Updated 2020-08-24 17:37:01

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2019-17351

Linux » Linux Kernel
Versions before (<) 5.2.3
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
XEN » XEN
Versions up to, including, (<=) 4.12.1
cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-17351

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 19 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-17351

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.9	MEDIUM	AV:L/AC:L/Au:N/C:N/I:N/A:C	3.9	6.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H	2.0	4.0	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-17351

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-17351

https://github.com/torvalds/linux/commit/6ef36ab967c71690ebe7e5ef997a8be4da3bc844

xen: let alloc_xenballooned_pages() fail if not enough memory free · torvalds/linux@6ef36ab · GitHub
Patch;Third Party Advisory
https://usn.ubuntu.com/4286-1/

USN-4286-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://xenbits.xen.org/xsa/advisory-300.html

XSA-300 - Xen Security Advisories
Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/10/25/9

oss-security - Xen Security Advisory 300 v3 (CVE-2019-17351) - Linux: No grant table and foreign mapping limits
https://security.netapp.com/advisory/ntap-20191031-0005/

October 2019 Linux Kernel Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3

Third Party Advisory

CVEs referencing this url
http://xenbits.xen.org/xsa/advisory-300.html

XSA-300 - Xen Security Advisories
https://usn.ubuntu.com/4286-2/

USN-4286-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-17351

Products affected by CVE-2019-17351

Exploit prediction scoring system (EPSS) score for CVE-2019-17351

CVSS scores for CVE-2019-17351

CWE ids for CVE-2019-17351

References for CVE-2019-17351