CVE-2019-19076

A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted

Weakness

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Affected Software

Name	Vendor	Start Version	End Version
Linux_kernel	Linux	*	5.3.6 (excluding)
Linux	Ubuntu	disco	*
Linux	Ubuntu	eoan	*
Linux	Ubuntu	esm-infra-legacy/trusty	*
Linux	Ubuntu	precise/esm	*
Linux	Ubuntu	trusty	*
Linux	Ubuntu	trusty/esm	*
Linux	Ubuntu	upstream	*
Linux-aws	Ubuntu	disco	*
Linux-aws	Ubuntu	eoan	*
Linux-aws	Ubuntu	esm-infra-legacy/trusty	*
Linux-aws	Ubuntu	trusty	*
Linux-aws	Ubuntu	trusty/esm	*
Linux-aws	Ubuntu	upstream	*
Linux-aws-5.0	Ubuntu	bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-hwe	Ubuntu	upstream	*
Linux-azure	Ubuntu	bionic	*
Linux-azure	Ubuntu	disco	*
Linux-azure	Ubuntu	eoan	*
Linux-azure	Ubuntu	esm-infra-legacy/trusty	*
Linux-azure	Ubuntu	trusty	*
Linux-azure	Ubuntu	trusty/esm	*
Linux-azure	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	bionic	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	xenial	*
Linux-gcp	Ubuntu	bionic	*
Linux-gcp	Ubuntu	disco	*
Linux-gcp	Ubuntu	eoan	*
Linux-gcp	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-edge	Ubuntu	bionic	*
Linux-gcp-edge	Ubuntu	esm-infra/bionic	*
Linux-gcp-edge	Ubuntu	upstream	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.0	Ubuntu	bionic	*
Linux-gke-5.0	Ubuntu	upstream	*
Linux-gke-5.3	Ubuntu	upstream	*
Linux-hwe	Ubuntu	bionic	*
Linux-hwe	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	xenial	*
Linux-kvm	Ubuntu	disco	*
Linux-kvm	Ubuntu	eoan	*
Linux-kvm	Ubuntu	upstream	*
Linux-lts-trusty	Ubuntu	precise/esm	*
Linux-lts-trusty	Ubuntu	upstream	*
Linux-lts-xenial	Ubuntu	esm-infra-legacy/trusty	*
Linux-lts-xenial	Ubuntu	trusty	*
Linux-lts-xenial	Ubuntu	trusty/esm	*
Linux-lts-xenial	Ubuntu	upstream	*
Linux-oem	Ubuntu	upstream	*
Linux-oem	Ubuntu	xenial	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-osp1	Ubuntu	bionic	*
Linux-oem-osp1	Ubuntu	disco	*
Linux-oem-osp1	Ubuntu	eoan	*
Linux-oem-osp1	Ubuntu	upstream	*
Linux-oracle	Ubuntu	disco	*
Linux-oracle	Ubuntu	eoan	*
Linux-oracle	Ubuntu	upstream	*
Linux-oracle-5.0	Ubuntu	bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	devel	*
Linux-raspi2	Ubuntu	disco	*
Linux-raspi2	Ubuntu	eoan	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-raspi2-5.3	Ubuntu	upstream	*
Linux-snapdragon	Ubuntu	disco	*
Linux-snapdragon	Ubuntu	upstream	*

Potential Mitigations

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
For example, glibc in Linux provides protection against free of invalid pointers.
When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-19076
CWE	https://cwe.mitre.org/data/definitions/401.html

Missing Release of Memory after Effective Lifetime

Weakness

Affected Software

Potential Mitigations

References