{
  "threat_severity" : "Moderate",
  "public_date" : "2019-08-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: use-after-free caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver",
    "id" : "1783498",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1783498"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.", "A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user." ],
  "statement" : "This issue is rated as Moderate because of the need of physical access to the system.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-07-29T00:00:00Z",
    "advisory" : "RHSA-2020:3221",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt:7",
    "package" : "kernel-rt-0:3.10.0-1127.18.2.rt56.1116.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-07-29T00:00:00Z",
    "advisory" : "RHSA-2020:3220",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-1127.18.2.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2020-10-13T00:00:00Z",
    "advisory" : "RHSA-2020:4236",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "kernel-0:3.10.0-1062.36.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-07T00:00:00Z",
    "advisory" : "RHSA-2020:1378",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-147.8.1.rt24.101.el8_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-07T00:00:00Z",
    "advisory" : "RHSA-2020:1372",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-147.8.1.el8_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-alt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-19527\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19527" ],
  "name" : "CVE-2019-19527",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}