CVE-2019-19126

On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

Published: Nov 19, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-19126
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.3
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-665

Affected Software
References

Software	From	Fixed in
gnu / glibc	-	2.31
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.10	19.10.x
canonical / ubuntu_linux	16.04	16.04.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
debian / debian_linux	10.0	10.0.x

https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/
https://sourceware.org/bugzilla/show_bug.cgi?id=25204
https://usn.ubuntu.com/4416-1/

Vulnerability Database

289,599

CVE-2019-19126