Vulnerability Details CVE-2019-19813
In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.3%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 7.1
References
- https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813
- https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html
- https://security.netapp.com/advisory/ntap-20200103-0001/
- https://usn.ubuntu.com/4414-1/
- https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813
- https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html
- https://security.netapp.com/advisory/ntap-20200103-0001/
- https://usn.ubuntu.com/4414-1/
Products affected by CVE-2019-19813
-
cpe:2.3:a:netapp:active_iq_unified_manager:9.10
-
cpe:2.3:a:netapp:active_iq_unified_manager:9.5
-
cpe:2.3:a:netapp:active_iq_unified_manager:9.6
-
cpe:2.3:a:netapp:data_availability_services:-
-
cpe:2.3:a:netapp:hci_management_node:-
-
cpe:2.3:a:netapp:solidfire:-
-
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-
-
cpe:2.3:h:netapp:aff_a400:-
-
cpe:2.3:h:netapp:aff_a700s:-
-
cpe:2.3:h:netapp:fas8300:-
-
cpe:2.3:h:netapp:fas8700:-
-
cpe:2.3:h:netapp:h610s:-
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:linux:linux_kernel:5.0.21
-
cpe:2.3:o:netapp:aff_a400_firmware:-
-
cpe:2.3:o:netapp:aff_a700s_firmware:-
-
cpe:2.3:o:netapp:fas8300_firmware:-
-
cpe:2.3:o:netapp:fas8700_firmware:-
-
cpe:2.3:o:netapp:h610s_firmware:-