Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-9391


An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.


Published

2020-02-25T18:15:11.647

Last Modified

2024-11-21T05:40:32.890

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:N/I:N/A:P

  • Access Vector: LOCAL
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: PARTIAL
Exploitability Score

3.9

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-787

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System linux linux_kernel ≤ 5.5.6 Yes
Operating System linux linux_kernel 5.4 Yes
Operating System fedoraproject fedora 31 Yes
Application netapp active_iq_unified_manager - Yes
Application netapp cloud_backup - Yes
Application netapp data_availability_services - Yes
Application netapp hci_management_node - Yes
Application netapp solidfire - Yes
Application netapp steelstore_cloud_integrated_storage - Yes
Operating System netapp h410c_firmware - Yes
Hardware netapp h410c - No

References