CVE-2019-20430
Description
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-20430 is a denial-of-service vulnerability in the Lustre file system, where missing packet-field validation in the mdt module triggers an LBUG kernel panic.
Vulnerability
The CVE-2019-20430 vulnerability resides in the mdt module of the Lustre parallel file system before version 2.12.3. The module lacks validation for specific fields in packets sent by a client, specifically the eadatasize field in the MDT (Metadata Target) Body. When a client sends a crafted packet with a large eadatasize value, the req_capsule_set_size function triggers an LBUG assertion, leading to a kernel panic. The issue affects all Lustre deployments running versions prior to 2.12.3, as indicated in the Lustre 2.12.3 changelog [1] and the related Jira ticket [2].
Exploitation
An attacker with network access to the Lustre file system can send a specially crafted packet to an affected Metadata Server (MDS). No authentication is required to trigger the vulnerability, as the mdt module does not validate the eadatasize field in incoming requests. The attacker must be able to reach the Lustre network (e.g., LNet) and send a maliciously formed RPC to the MDS. The kernel panic trace in reference [2] shows the crash occurring in the mdt_getxattr function path, which handles extended attribute operations. The exploitation is straightforward: the attacker sends a packet with an oversized eadatasize, causing the LBUG panic in req_capsule_set_size [2].
Impact
Successful exploitation causes the Metadata Server to immediately panic and crash, leading to a denial of service (DoS) for all clients accessing the file system. The kernel panic (LBUG) halts the MDS, making the entire Lustre file system unavailable until the server is rebooted or the mdt module is restarted. This affects the availability of the file system but does not lead to data corruption or unauthorized data access, as the crash prevents any further operations. The impact is confined to a denial of service, with no evidence of code execution or information disclosure in the available references [1][2].
Mitigation
The vulnerability is fixed in Lustre version 2.12.3, which was released in January 2020 according to the Lustre 2.12.3 changelog [1]. Administrators should upgrade all Metadata Servers running the mdt module to version 2.12.3 or later. As of the publication date (2020-01-27), no workaround is documented, and the fix requires updating the Lustre software. Checking the Lustre releases page [3] ensures access to the latest patched versions. There is no known inclusion of this CVE in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Lustre/Lustre file systemdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- lustre.orgmitrex_refsource_MISC
- wiki.lustre.org/Lustre_2.12.3_Changelogmitrex_refsource_MISC
- jira.whamcloud.com/browse/LU-12602mitrex_refsource_MISC
- review.whamcloud.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.