{
  "threat_severity" : "Important",
  "public_date" : "2019-08-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: local attacker can trigger multiple use-after-free conditions results in privilege escalation",
    "id" : "1747353",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1747353"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.", "A flaw was found in the way the Linux kernel's networking subsystem handled the write queue between TCP disconnection and re-connections. A local attacker could use this flaw to trigger multiple use-after-free conditions potentially escalating their privileges on the system." ],
  "statement" : "This issue affected Red Hat Enterprise Linux 7 starting with kernel version kernel-3.10.0-1053.el7. The first publicly available affected kernel version is kernel-3.10.0-1062.el7 released via https://access.redhat.com/errata/RHSA-2019:2029,  the Red Hat Enterprise Linux 7.7 GA kernel errata release.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-11-26T00:00:00Z",
    "advisory" : "RHSA-2019:3978",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt:7",
    "package" : "kernel-rt-0:3.10.0-1062.7.1.rt56.1030.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-11-26T00:00:00Z",
    "advisory" : "RHSA-2019:3979",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-1062.7.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-01-06T00:00:00Z",
    "advisory" : "RHSA-2020:0027",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-alt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-15239\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15239" ],
  "name" : "CVE-2019-15239",
  "csaw" : false
}