← back
CVE-2019-11478

SACK can cause extensive memory use via fragmented resend queue

CVSS 5.3 MEDIUMEPSS 94.7%CWE-770
In short

A flaw in Linux kernel's TCP handling allows a remote attacker to send specially crafted network packets that cause excessive memory use and crash the system. The issue happens when the system tries to reassemble fragmented data using SACK (Selective Acknowledgment) sequences.

Technical detail

The vulnerability exists in tcp_fragment() where improper handling of SACK sequences causes pathological fragmentation of the TCP retransmission queue. A remote attacker can exploit this via specially crafted TCP packets to exhaust memory and trigger a denial of service, affecting all unpatched kernel versions prior to the listed fixes.

Summary generated and translated by AI from the official description.
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
Linux · Linux kernel

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.htmlhttp://packetstormsecurity.com/files/154408/Kernel-Live-Patch-Security-Notice-LSN-0055-1.htmlhttp://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.htmlhttps://access.redhat.com/errata/RHSA-2019:1594https://access.redhat.com/errata/RHSA-2019:1602https://access.redhat.com/errata/RHSA-2019:1699https://access.redhat.com/security/vulnerabilities/tcpsackhttps://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdfhttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.mdhttps://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2ehttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193https://kc.mcafee.com/corporate/index?page=content&id=SB10287