CVE-2019-19922

CVE-2019-19922 is a medium-severity vulnerability in Oracle Sd-wan Edge with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.

Key facts

Description

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)

Frequently asked questions

What is CVE-2019-19922?
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
How severe is CVE-2019-19922?
CVE-2019-19922 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2019-19922 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2019-19922?
CVE-2019-19922 primarily affects Oracle Sd-wan Edge. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-19922?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2019-19922 published?
CVE-2019-19922 was published on 2019-12-22 and last updated on 2026-06-17.

References

Affected products (15)

More vulnerabilities in Oracle Sd-wan Edge

All CVEs affecting Oracle Sd-wan Edge →

Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities

Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →