CVE-2019-8956

NameCVE-2019-8956
DescriptionIn the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)stretch4.9.228-1fixed
stretch (security)4.9.210-1+deb9u1fixed
buster4.19.146-1fixed
buster (security)4.19.152-1fixed
bullseye, sid5.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcejessie(not affected)
linuxsourcestretch(not affected)
linuxsource(unstable)4.19.28-1

Notes

[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
Fixed by: https://git.kernel.org/linus/ba59fb0273076637f0add4311faa990a5eec27c0

Search for package or bug name: Reporting problems