A vulnerability was found in pn533_usb_probe in drivers/nfc/pn533/usb.c in PN533 transceiver module with USB interface for contact-less communication subsystem, in this if the driver registration fails in between, it needs to do all the cleanup activity and free all the related resources, failing which it can lead to a use-after-free problem. Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6af3aa57a0984e061f61308fe181a9a12359fecc References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9 http://seclists.org/oss-sec/2019/q4/115 http://www.openwall.com/lists/oss-security/2019/12/03/4
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1783495]
This is fixed for Fedora with the 5.3.9 stable kernel update.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19526
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
External References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9 http://seclists.org/oss-sec/2019/q4/115 http://www.openwall.com/lists/oss-security/2019/12/03/4 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6af3aa57a0984e061f61308fe181a9a12359fecc