InfoSec News & Investigations

CVE-2019-8912 | Use After Free Arbitrary Code Execution Vulnerability for many Linux Kernels

Linux Kernel is prone to an arbitrary code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code in the context of the kernel. Failed exploits may result in denial-of-service conditions.

The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that’s been around since the early Linux 2.6 kernels.

KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.

A use-after-free issue was found in the networking subsystem’s sockfs code and looks like it could lead to arbitrary code execution as a result.

The issue was reported last week by a Huawei engineer and was fixed in Linux Git shortly thereafter. As of Linux 4.20.11 kernel release it doesn’t appear yet carrying this patch, but should land in the various stable/long-term branches soon.