{"id":"CVE-2019-5094","details":"An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.","modified":"2026-04-16T04:39:16.780110581Z","published":"2019-09-24T22:15:13.247Z","related":["SUSE-RU-2019:2676-1","SUSE-RU-2019:2677-1","openSUSE-SU-2024:10731-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4142-2/"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Sep/58"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200115-0002/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4142-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4535"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-05"},{"type":"EVIDENCE","url":"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tytso/e2fsprogs","events":[{"introduced":"4e52870eeb08ed7532bf4fd3d5cb1538f714bdc8"},{"last_affected":"1f56fb81236fe3e25e2c60c1e89ea0aa7cb36260"}],"database_specific":{"versions":[{"introduced":"1.43.3"},{"last_affected":"1.45.3"}]}}],"versions":["1.43.4","debian/1.44.3-1","v1.43.3","v1.43.4","v1.44.0","v1.44.0-rc1","v1.44.0-rc2","v1.44.1","v1.44.2","v1.44.3","v1.44.3-rc1","v1.44.3-rc2","v1.45.0","v1.45.1","v1.45.1-rc1","v1.45.2","v1.45.3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5094.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}