kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
Conclusion & alert: CVE-2019-19922 is rated Exploit Available (57.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.95%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.07% | 0.95% | +0.88% |
| 2 | 2025-03-30 | 0.31% | 0.07% | -0.24% |
| 3 | 2025-03-29 | — | 0.31% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
| 2.1 | 2.0 | LOW |
|
3.9 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2019-19922 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2019-19922 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2019-19922 |
suse
|
medium | CVE-2019-19922 severity moderate: SUSE including 389 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 536 product×package rows across 65 product lines (SUSE Liberty Linux 8, SUSE Linux Enterprise Desktop 12 SP4, … (65 product lines)): Fixed 229, Known Affected 157, Known Not Affected 150. | https://www.suse.com/security/cve/CVE-2019-19922/ |
ubuntu
|
medium | CVE-2019-19922 medium priority: Ubuntu including 97 source packages (linux, linux-aws, …), 933 status rows across 12 suites (bionic, disco, eoan, focal, groovy, jammy, noble, oracular, plucky, trusty, upstream, xenial): DNE 636, not-affected 146, released 137, ignored 14. | https://ubuntu.com/security/CVE-2019-19922 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | < 5.3.9 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| oracle | sd-wan_edge | 8.2 | cpe:2.3:a:oracle:sd-wan_edge:8.2:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 18.04 | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 19.04 | cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
| netapp | cloud_backup | — | cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* |
| netapp | data_availability_services | — | cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:* |
| netapp | e-series_santricity_os_controller | >= 11.0, <= 11.70.2 | cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* |
| netapp | fas\/aff_baseboard_management_controller | — | cpe:2.3:a:netapp:fas\/aff_baseboard_management_controller:-:*:*:*:*:*:*:* |
| netapp | hci_baseboard_management_controller | h610s | cpe:2.3:a:netapp:hci_baseboard_management_controller:h610s:*:*:*:*:*:*:* |
| netapp | solidfire_\&_hci_management_node | — | cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:* |
| netapp | steelstore_cloud_integrated_storage | — | cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* |
| netapp | aff_baseboard_management_controller | a700 | cpe:2.3:h:netapp:aff_baseboard_management_controller:a700:*:*:*:*:*:*:* |
| netapp | solidfire_baseboard_management_controller | — | cpe:2.3:h:netapp:solidfire_baseboard_management_controller:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9 | Mailing List Patch Vendor Advisory |
| https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425 | Mailing List Patch Vendor Advisory |
| https://github.com/kubernetes/kubernetes/issues/67577 | Issue Tracking Patch Third Party Advisory |
| https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425 | Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html | Mailing List Third Party Advisory |
| https://relistan.com/the-kernel-may-be-slowing-down-your-app | Exploit Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20200204-0002/ | Third Party Advisory |
| https://usn.ubuntu.com/4226-1/ | Third Party Advisory |
| https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |