CVE-2019-14283: Integer Overflow

Published Jul 26, 2019
·
Updated

A vulnerability was found in the Linux kernel’s floppy disk driver implementation. A local attacker with access to the floppy device could call setgeometry in drivers/block/floppy.c, which does not validate the sect and head fields, causing an integer overflow and out-of-bounds read. This flaw may crash the system or allow an attacker to gather information causing subsequent successful attacks.

Other sources

A vulnerability was found in the Linux kernels floppy disk driver implementation. A local user with permissions to access the floppy device could call setgeometry in drivers/block/floppy.c which does not validate the sect and head fields causing an integer overflow and out-of-bounds read. This may crash the system or allow an attacker to gather information allowing for successful subsequent attacks.

Systems using QEMU will likely have the virtual floppy disk controller (FDC) enabled by default, Linux guests using this configuration will auto-load the floppy kernel module and likely be affected.

Mitigation:

The kernel module named 'floppy' contains the affected code, this can be blacklisted using the standard blacklisting techniques or disabled in the systems BIOS. See https://access.redhat.com/solutions/41278 for how to blacklist a kernel module.

Virtualized guest systems can also remove the system from the guests configuration to ensure that the module does not load.

External references:

Changelog https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.3

Upstream commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da99466ac243f15fbba65bd261bfc75ffa1532b6 https://github.com/torvalds/linux/commit/da99466ac243f15fbba65bd261bfc75ffa1532b6

Red Hat

In the Linux kernel before 5.2.3, setgeometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.

Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow and out-of-bounds read in the drivers/block/floppy.c. By using a specially-crafted floppy disk, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

Affected Software

6 affected componentsFixes available
redhat/kernel-rt<0:3.10.0-1127.rt56.1093.el7
0:3.10.0-1127.rt56.1093.el7
redhat/kernel<0:3.10.0-1127.el7
0:3.10.0-1127.el7
redhat/kernel<0:3.10.0-1062.26.1.el7
0:3.10.0-1062.26.1.el7
IBM Data Risk Manager<=2.0.6
Linux Linux kernel<5.2.3
debian/linux
5.10.223-15.10.257-16.1.170-36.1.174-16.12.86-16.12.90-27.0.10-17.0.12-2

Remediation

Information

The kernel module named 'floppy' contains the affected code, this can be blacklisted using the standard blacklisting techniques or disabled in the systems BIOS. See https://access.redhat.com/solutions/41278 for how to blacklist a kernel module. Virtualized guest systems can also remove the system from the guests configuration to ensure that the module does not load.

Patch Available

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da99466ac243f15fbba65bd261bfc75ffa1532b6

Patch Available

https://github.com/torvalds/linux/commit/da99466ac243f15fbba65bd261bfc75ffa1532b6

Event History

Jul 26, 2019
CVE Published
12:00 AM
CVE Published
via MITRE·12:24 PM
Data Sourced
via MITRE·12:24 PM
Description
Jul 30, 2019
Data Sourced
via Red Hat·04:43 AM
DescriptionSeverityAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·11:17 PM
Description
May 23, 2026
Data Sourced
via Ubuntu·09:27 AM
RemedyDescriptionSeverityAffected Software
Jun 13, 2026
Data Sourced
via Debian·09:53 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2019-14283?

CVE-2019-14283 is classified as a high severity vulnerability due to the potential for local attackers to exploit it.

2

How do I fix CVE-2019-14283?

To fix CVE-2019-14283, update your Linux kernel to a version that addresses this vulnerability.

3

Which versions of the Linux kernel are affected by CVE-2019-14283?

CVE-2019-14283 affects versions of the Linux kernel prior to 5.2.3.

4

Can CVE-2019-14283 be exploited remotely?

CVE-2019-14283 requires local access to the vulnerable system and cannot be exploited remotely.

5

What type of systems are impacted by CVE-2019-14283?

CVE-2019-14283 impacts systems running specific versions of the Linux kernel and the IBM Data Risk Manager.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203