lustre CVE Vulnerabilities & Metrics

Focus on lustre vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About lustre Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with lustre. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total lustre CVEs: 10
Earliest CVE date: 06 Nov 2008, 15:55 UTC
Latest CVE date: 27 Jan 2020, 05:15 UTC

Latest CVE reference: CVE-2019-20432

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical lustre CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 7.83

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	1
7.0-8.9	9
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS lustre CVEs

These are the five CVEs with the highest CVSS scores for lustre, sorted by severity first and recency.

CVE-2019-20427 lustre Published on 27 Jan 2020, 05:15 UTC (CVSS: 9.0)
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integer signedness error.
CVE-2019-20432 lustre Published on 27 Jan 2020, 05:15 UTC (CVSS: 7.8)
In the Lustre file system before 2.12.3, the mdt module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. mdt_file_secctx_unpack does not validate the value of name_size derived from req_capsule_get_size.
CVE-2019-20431 lustre Published on 27 Jan 2020, 05:15 UTC (CVSS: 7.8)
In the Lustre file system before 2.12.3, the ptlrpc module has an osd_map_remote_to_local out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. osd_bufs_get in the osd_ldiskfs module does not validate a certain length value.
CVE-2019-20430 lustre Published on 27 Jan 2020, 05:15 UTC (CVSS: 7.8)
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.
CVE-2019-20429 lustre Published on 27 Jan 2020, 05:15 UTC (CVSS: 7.8)
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2.

All CVEs for lustre

CVE-2019-20432 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the mdt module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. mdt_file_secctx_unpack does not validate the value of name_size derived from req_capsule_get_size.

CVE-2019-20431 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has an osd_map_remote_to_local out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. osd_bufs_get in the osd_ldiskfs module does not validate a certain length value.

CVE-2019-20430 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.

CVE-2019-20429 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2.

CVE-2019-20428 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.

CVE-2019-20427 lustre vulnerability CVSS: 9.0 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integer signedness error.

CVE-2019-20426 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function ldlm_cancel_hpreq_check, there is no lock_count bounds check.

CVE-2019-20425 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function lustre_msg_string, there is no validation of a certain length value derived from lustre_msg_buflen_v2.

CVE-2019-20424 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, mdt_object_remote in the mdt module has a NULL pointer dereference and panic due to the lack of validation for specific fields of packets sent by a client.

CVE-2019-20423 lustre vulnerability CVSS: 7.8 27 Jan 2020, 05:15 UTC

In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic due to the lack of validation for specific fields of packets sent by a client. The function target_handle_connect() mishandles a certain size value when a client connects to a server, because of an integer signedness error.

CVE-2008-4970 lustre vulnerability CVSS: 6.9 06 Nov 2008, 15:55 UTC

runiozone in lustre 1.6.5 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/iozone.log temporary file.