CVE-2019-11683
high-risk
Published 2019-05-02
udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue.
Do I need to act?
!
10.0% chance of exploitation in next 30 days
EPSS score — higher than 90% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
References (20)
Third Party Advisory
http://www.securityfocus.com/bid/108142
Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.13
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190517-0002/
Third Party Advisory
https://support.f5.com/csp/article/K69550896
Third Party Advisory
https://usn.ubuntu.com/3979-1/
Issue Tracking
https://www.spinics.net/lists/netdev/msg568315.html
Third Party Advisory
http://www.securityfocus.com/bid/108142
Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.13
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190517-0002/
Third Party Advisory
https://support.f5.com/csp/article/K69550896
Third Party Advisory
https://usn.ubuntu.com/3979-1/
Issue Tracking
https://www.spinics.net/lists/netdev/msg568315.html
50
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
11/34 · Low
Exposure
7/34 · Low