{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: out of bounds write in hid-multitouch.c may lead to escalation of privilege",
    "id" : "1920471",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1920471"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-787",
  "details" : [ "In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-162844689References: Upstream kernel", "A flaw was found in the Linux kernel’s multi-touch input system. An out-of-bounds write triggered by a use-after-free issue could lead to memory corruption or possible privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2022-02-22T00:00:00Z",
    "advisory" : "RHSA-2022:0622",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt:7",
    "package" : "kernel-rt-0:3.10.0-1160.59.1.rt56.1200.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2022-02-22T00:00:00Z",
    "advisory" : "RHSA-2022:0620",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-1160.59.1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-alt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-0465\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-0465" ],
  "name" : "CVE-2020-0465",
  "mitigation" : {
    "value" : "As the multitouch module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:\n# echo \"install hid-multitouch /bin/true\" >> /etc/modprobe.d/disable-hid-multitouch.conf\nThe system may need to be restarted if the hid-multitouch module is loaded. In most circumstances, a kernel modules will be unable to be unloaded while in use.\nIf the system requires this module to work correctly, this mitigation may not be suitable.\nIf you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.",
    "lang" : "en:us"
  },
  "csaw" : false
}