Linux Kernel hid_debug_events_read() Function Local Denial of Service Vulnerability [CVE-2019-3819]

CVE Number – CVE-2019-3819

A vulnerability in the hid_debug_events_read() function of the Linux Kernel could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists in the hid_debug_events_read() function, as defined in the drivers/hid/hid-debug.c source code file of the affected software. The vulnerability is due to an infinite loop condition that may occur when user-supplied input with certain parameters is passed from a userspace. An attacker with root privileges could exploit this vulnerability by executing a program that submits malicious input to the targeted system. A successful exploit could cause the system to lock, resulting in a DoS condition.Kernel.org has not confirmed the vulnerability, and software updates are not available.

Analysis

• To exploit this vulnerability, the attacker must have root privileges on the targeted system. This access requirement could reduce the likelihood of a successful exploit.

Safeguards

• Administrators are advised to contact the vendor regarding future updates and releases.Administrators are advised to allow only trusted users to access local systems.Administrators are advised to allow only privileged users to access administration or management systems.Administrators are advised to monitor critical systems.

Vendor Announcements

• At the time this alert was first published, Kernel.org had not released a security announcement.

Fixed Software

• At the time this alert was first published, Kernel.org had not released software updates. A patch was available in the unofficial Linux Kernel Mailing List archive; however, the patch had not been pushed upstream to Linux Kernel distributions.