← back
CVE-2019-11477

Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs

CVSS 7.5 HIGHEPSS 98.7%CWE-190
In short

A flaw in how Linux handles TCP data packets allows a remote attacker to send specially crafted network packets that cause the system to crash or stop responding. The issue is in the kernel's handling of a TCP feature called SACK (Selective Acknowledgment).

Technical detail

An integer overflow vulnerability exists in TCP_SKB_CB(skb)->tcp_gso_segs when processing TCP Selective Acknowledgments (SACKs) in the Linux kernel. A remote unauthenticated attacker can trigger this overflow by sending specially crafted TCP packets, leading to denial of service via kernel panic or resource exhaustion. The vulnerability affects kernel versions prior to 4.4.182, 4.9.182, 4.14.127, 4.19.52, and 5.1.11.

Summary generated and translated by AI from the official description.
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Linux · Linux kernel

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.htmlhttp://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.htmlhttps://access.redhat.com/errata/RHSA-2019:1594https://access.redhat.com/errata/RHSA-2019:1602https://access.redhat.com/errata/RHSA-2019:1699https://access.redhat.com/security/vulnerabilities/tcpsackhttps://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdfhttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.mdhttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cffhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193https://kc.mcafee.com/corporate/index?page=content&id=SB10287https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0006