CVE-2019-14604

Vulnerability

A null pointer dereference vulnerability exists in the FPGA kernel driver component of Intel Quartus Prime Pro Edition software prior to version 19.3. The driver, used for FPGA programming and configuration, fails to properly validate a pointer before dereferencing it under specific conditions, leading to a crash. The issue is triggered by an authenticated user with local access [1].

Exploitation

An authenticated attacker with local access can exploit this vulnerability by performing operations that invoke the vulnerable code path in the FPGA kernel driver. The exact sequence is not publicly detailed, but it likely involves sending crafted IOCTL requests or other system calls that cause the driver to dereference a null pointer. No special privileges beyond standard user authentication are required [1].

Impact

Successful exploitation results in a denial of service (DoS) condition, causing the system or the driver to crash. The impact is limited to availability; no information disclosure, privilege escalation, or code execution is indicated [1].

Mitigation

Intel addressed this vulnerability in Quartus Prime Pro Edition version 19.3. Users should update to this version or later. No workarounds are provided in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].