Ubuntu.comUB:CVE-2019-12454CVE-2019-12454
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.1%
DISPUTED An issue was discovered in wcd9335_codec_enable_dec in
sound/soc/codecs/wcd9335.c in the Linux kernel through 5.1.5. It uses
kstrndup instead of kmemdup_nul, which allows attackers to have an
unspecified impact via unknown vectors. NOTE: The vendor disputes this
issues as not being a vulnerability because switching to kmemdup_nul()
would only fix a security issue if the source string wasn’t NUL-terminated,
which is not the case.
Notes
| Author | Note |
|---|---|
| tyhicks | There’s no security impact here from what I can tell. I’ve requested that MITRE reject this CVE. |
References
git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git/commit/?h=for-5.3&id=a54988113985ca22e414e132054f234fc8a92604
launchpad.net/bugs/cve/CVE-2019-12454
lkml.org/lkml/2019/5/29/705
nvd.nist.gov/vuln/detail/CVE-2019-12454
security-tracker.debian.org/tracker/CVE-2019-12454
www.cve.org/CVERecord?id=CVE-2019-12454
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.1%