{
  "threat_severity" : "Low",
  "public_date" : "2019-08-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: a NULL pointer dereference in drivers/net/wireless/ath/ath10k/usb.c leads to a crash",
    "id" : "1743560",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1743560"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.", "A null pointer dereference flaw was discovered in the Linux kernel's implementation of the ath10k USB device driver. The vulnerability requires the attacker to plug in a specially crafted hardware device that present endpoint descriptors that normal ath10k devices do not recognize. System availability is the highest threat with this vulnerability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-04-16T00:00:00Z",
    "advisory" : "RHSA-2020:1493",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-alt-0:4.14.0-115.19.1.el7a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-28T00:00:00Z",
    "advisory" : "RHSA-2020:1567",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-193.rt13.51.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-28T00:00:00Z",
    "advisory" : "RHSA-2020:1769",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-193.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-15099\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15099" ],
  "name" : "CVE-2019-15099",
  "mitigation" : {
    "value" : "As the ath10k module will be auto-loaded when required, its use can be disabled by preventing the module from loading using the following instructions.\nOn the command line, as root, execute the following command:\n# echo \"install ath10k_usb /bin/true\" >> /etc/modprobe.d/disable-ath10k_usb.conf \nThe system will need to be restarted if the ath10k_usb module are loaded. In most circumstances, the kernel modules will be unable to be unloaded while the ath10k WiFi network interface is in use. If the system requires this module to work correctly, this mitigation may not be suitable.\nIf you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.",
    "lang" : "en:us"
  },
  "csaw" : false
}