Login Sign Up

CVE-2019-25160

7.1 HIGH

📋 TL;DR

This CVE-2019-25160 is an out-of-bounds memory access vulnerability in the Linux kernel's netlabel subsystem, specifically in cipso_v4_map_lvl_valid() and netlbl_bitmap_walk() functions. It could allow local attackers to cause kernel crashes or potentially execute arbitrary code with kernel privileges. Systems running affected Linux kernel versions with netlabel/CIPSO enabled are vulnerable.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Versions prior to the fix commits (specific versions vary by distribution; generally kernels before the patches were backported)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if netlabel subsystem and CIPSO (Commercial IP Security Option) are enabled/configured. Many distributions don't enable these by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context leading to complete system compromise.

🟠

Likely Case

Kernel panic leading to denial of service (system crash) or local privilege escalation if an attacker can control the memory access parameters.

🟢

If Mitigated

Minimal impact if netlabel/CIPSO is disabled or systems are properly patched; otherwise, local attackers could still cause crashes.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the system; not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local attackers (including malicious users or compromised accounts) could exploit this to escalate privileges or cause denial of service.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of triggering the specific out-of-bounds memory accesses. No public exploits known as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 1c973f9c7cc2b3caae93192fdc8ecb3f0b4ac000, 5578de4834fe0f2a34fedc7374be691443396d1f, 97bc3683c24999ee621d847c9348c75d2fe86272, c61d01faa5550e06794dcf86125ccd325bfad950, dc18101f95fa6e815f426316b8b9a5cee28a334e

Vendor Advisory: https://git.kernel.org/stable/c/1c973f9c7cc2b3caae93192fdc8ecb3f0b4ac000

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to install latest kernel updates. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable netlabel/CIPSO

linux

If netlabel and CIPSO are not needed, disable them to remove attack surface.

Check if netlabel is enabled: lsmod | grep netlabel
Disable module: rmmod netlabel (if loaded)
Prevent loading: echo 'blacklist netlabel' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

  • Disable netlabel and CIPSO functionality if not required
  • Implement strict access controls to limit local user privileges and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if netlabel modules are loaded: uname -r && lsmod | grep netlabel

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to one containing fix commits and netlabel modules are either disabled or patched.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs in /var/log/messages or dmesg
  • OOM (Out of Memory) or segmentation fault messages related to kernel

Network Indicators:

  • None - this is local exploitation only

SIEM Query:

Search for kernel panic events or segmentation faults in system logs

📊 Metadata

CVE ID: CVE-2019-25160
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: February 26, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25160, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)