// For flags

CVE-2019-7148

SUSE Security Advisory - SUSE-SU-2022:2614-2

Severity Score

6.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens."

Se ha descubierto un intento de asignación de memoria excesiva en la función read_long_names en elf_begin.c en libelf en la versión 0.174 de elfutils. Los atacantes remotos podrían aprovechar esta vulnerabilidad para provocar una denegación de servicio (DoS) mediante entradas elf manipuladas, lo que conduce a una excepción fuera de memoria. NOTA: Los mantenedores creen que este no es un fallo real, sino un "aviso provocado por ASAN debido a que la asignación es grande. Al establecer SAN_OPTIONS=allocator_may_return_null=1 y ejecutar el reproductor, no ocurre nada"

An update that fixes 19 vulnerabilities, contains one feature is now available. This update for dwarves and elfutils fixes the following issues.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-28 CVE Reserved
  • 2019-01-29 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://sourceware.org/bugzilla/show_bug.cgi?id=24085 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Elfutils Project
Search vendor "Elfutils Project"
 Elfutils
Search vendor "Elfutils Project" for product "Elfutils"
 0.174
Search vendor "Elfutils Project" for product "Elfutils" and version "0.174"
-
Affected