File Descriptor Leak in D-Bus Server of dbus Daemon by Freedesktop
CVE-2020-12049

5.5MEDIUM

Key Information:

Vendor: Freedesktop
Status: Dbus
Vendor: CVE Published:; 8 June 2020

🔔 Create Freedesktop Vulnerability Alert

What is CVE-2020-12049?

A vulnerability exists in the D-Bus server implementation within the libdbus library, where file descriptors may be leaked when messages exceed the allowed per-message limit. A local attacker with access to the D-Bus system bus or a private AF_UNIX socket from another system service can exploit this flaw, potentially overwhelming the system service and preventing subsequent D-Bus clients from functioning properly due to reaching the file descriptor limit.

References

https://gitlab.freedesktop.org/dbus/dbus/-/issues/294

https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16

http://www.openwall.com/lists/oss-security/2020/06/04/3

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2020
Vulnerability Reserved
Apr 21, 2020