In the Linux kernel, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.6 http://seclists.org/oss-sec/2019/q4/115 http://www.openwall.com/lists/oss-security/2019/12/03/4 Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7fd25e6fc035f4b04b75bca6d7e8daa069603a76
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1783479]
This is fixed for Fedora with the 5.3.6 stable kernel update.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19525
External References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.6 http://seclists.org/oss-sec/2019/q4/115 http://www.openwall.com/lists/oss-security/2019/12/03/4 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7fd25e6fc035f4b04b75bca6d7e8daa069603a76