Incomplete Initialization of Structures in crypto_report_one() in Linux Kernel (CVE-2013-2547 Regression)

Incomplete Initialization of Structures in crypto_report_one() in Linux Kernel (CVE-2013-2547 Regression)

CVE-2018-19854 · LOW Severity

AV:L/AC:M/AU:N/C:P/I:N/A:N

An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).

Learn more about our Cis Benchmark Audit For Distribution Independent Linux.