The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-16119

CVE-2020-16119: Linux Kernel Use-After-Free Vulnerability

CVE-2020-16119 is a use-after-free flaw in the Linux kernel affecting DCCP socket handling. Local attackers can exploit this vulnerability to compromise system security. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published: March 4, 2026

CVE-2020-16119 Overview

CVE-2020-16119 is a use-after-free vulnerability affecting the Linux kernel's DCCP (Datagram Congestion Control Protocol) implementation. The vulnerability allows a local attacker to exploit a race condition where a DCCP socket with an attached dccps_hc_tx_ccid object can be reused as a listener after the object has been released. This memory corruption flaw can lead to local privilege escalation, allowing unprivileged users to gain elevated system access.

Critical Impact

Local attackers can exploit this use-after-free condition to achieve privilege escalation, potentially gaining root access on affected Linux systems running vulnerable kernel versions.

Affected Products

  • Linux Kernel (all versions prior to patches)
  • Canonical Ubuntu Linux 12.04 LTS, 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS
  • Debian Linux 9.0 and 11.0

Discovery Timeline

  • 2021-01-14 - CVE-2020-16119 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-16119

Vulnerability Analysis

This use-after-free vulnerability (CWE-416) exists within the Linux kernel's DCCP socket handling code. DCCP is a message-oriented transport layer protocol designed to provide congestion control for unreliable datagram flows. The vulnerability specifically affects the congestion control identifier (ccid) object management within DCCP socket operations.

When a DCCP socket transitions through various states, particularly when being converted to a listener socket, the kernel may fail to properly manage the lifecycle of the attached dccps_hc_tx_ccid object. If this object is freed but the socket structure retains a dangling pointer to it, subsequent operations on the socket can reference deallocated memory.

An attacker with local access can craft a sequence of socket operations that trigger this improper state transition, causing the kernel to access freed memory. This can be leveraged to corrupt kernel data structures, bypass security mechanisms, or execute arbitrary code with kernel privileges.

Root Cause

The root cause lies in improper object lifecycle management within the DCCP subsystem. Specifically, when a DCCP socket's congestion control handler (dccps_hc_tx_ccid) is released during certain socket state transitions, the reference to this object is not properly cleared. The kernel code fails to ensure that the socket cannot be reused as a listener while still holding references to the freed CCID object.

This represents a classic use-after-free pattern where:

  1. A dccps_hc_tx_ccid object is allocated and attached to a DCCP socket
  2. The object is freed during a state change or cleanup operation
  3. The socket retains a stale pointer to the freed object
  4. Subsequent use of the socket as a listener triggers access to freed memory

Attack Vector

The attack vector is local, requiring an attacker to have the ability to execute code on the target system. The exploitation process involves manipulating DCCP socket states through system calls to trigger the use-after-free condition. The attacker would typically create a DCCP socket, perform specific operations to trigger the premature freeing of the CCID object, and then force the socket into a listener state where the freed memory is accessed.

Successful exploitation requires low privileges and no user interaction. The vulnerability affects the confidentiality, integrity, and availability of the system, as kernel-level code execution can lead to complete system compromise.

Detection Methods for CVE-2020-16119

Indicators of Compromise

  • Unexpected kernel crashes or panics related to DCCP socket operations
  • Suspicious DCCP socket activity from unprivileged processes
  • Memory corruption indicators in kernel logs referencing dccp or ccid subsystems
  • Processes unexpectedly gaining elevated privileges without authorization

Detection Strategies

  • Monitor kernel logs for DCCP-related warnings, errors, or crashes using dmesg or syslog analysis
  • Implement kernel auditing to track DCCP socket creation and state transitions by unprivileged users
  • Deploy endpoint detection solutions capable of monitoring for kernel exploit behaviors and privilege escalation attempts
  • Use Linux Audit subsystem to log socket() syscalls with AF_DCCP protocol family

Monitoring Recommendations

  • Configure alerting on kernel oops or panic events that reference DCCP subsystem components
  • Monitor for unusual patterns of DCCP socket operations, especially from non-network service processes
  • Implement behavioral analysis to detect privilege escalation attempts following DCCP socket manipulation
  • Review system call patterns for sequences indicative of socket state manipulation attacks

How to Mitigate CVE-2020-16119

Immediate Actions Required

  • Update affected Linux kernels to patched versions immediately
  • Apply vendor-provided security updates for Ubuntu (kernel versions 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191, 3.2.0-149.196)
  • Apply Debian security updates as documented in DSA-4978 and related LTS announcements
  • Restrict local system access to trusted users until patches can be applied

Patch Information

Security patches are available from multiple vendors. Ubuntu has released fixed kernel versions across multiple supported releases. The patch commit can be found in the Ubuntu Kernel Commit Update. Additional details are available in Launchpad Bug Report #1883840.

Debian users should apply updates as specified in Debian Security Advisory DSA-4978 and the Debian LTS announcements.

NetApp customers should review NetApp Security Advisory ntap-20210304-0006 for affected product information.

Workarounds

  • Disable the DCCP kernel module if not required by running modprobe -r dccp and blacklisting the module
  • Add blacklist dccp and blacklist dccp_ipv4 to /etc/modprobe.d/blacklist.conf to prevent module loading
  • Implement strict user access controls to limit local shell access on vulnerable systems
  • Use container isolation or virtualization to limit the impact of potential exploitation
bash
# Disable and blacklist DCCP kernel module
sudo modprobe -r dccp dccp_ipv4 dccp_ipv6 2>/dev/null
echo "blacklist dccp" | sudo tee -a /etc/modprobe.d/blacklist-dccp.conf
echo "blacklist dccp_ipv4" | sudo tee -a /etc/modprobe.d/blacklist-dccp.conf
echo "blacklist dccp_ipv6" | sudo tee -a /etc/modprobe.d/blacklist-dccp.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.08%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-416
  • Technical References
  • Debian LTS Announcement October 2021
  • Debian LTS Announcement December 2021
  • Kernel Netdev Discussion
  • NetApp Security Advisory ntap-20210304-0006
  • Ubuntu Security Notice USN-4576-1
  • Ubuntu Security Notice USN-4577-1
  • Ubuntu Security Notice USN-4578-1
  • Ubuntu Security Notice USN-4579-1
  • Ubuntu Security Notice USN-4580-1
  • Debian Security Advisory DSA-4978
  • Vendor Resources
  • Ubuntu Kernel Commit Update
  • Launchpad Bug Report #1883840
  • Related CVEs
  • CVE-2026-43328: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43500: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43333: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43335: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English