CVE-2020-27786

CWE-416Use After Free7 documents6 sources
Severity
7.8HIGH
EPSS
7.6%
top 8.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux Linux KernelRedhat Enterprise LinuxRedhat Enterprise MRG+1 more
Timeline
PublishedDec 11
Latest updateMay 24

Description

A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

Android:linux_kernel::0:2021-05-05
NVDlinux/linux_kernel4.54.9.224+5
Debianlinux< 5.6.14-1+3
CVEListV5kernelkernel 5.7-rc6

Also affects: Enterprise Linux 7.0, 8.0, Openshift Container Platform 4.4, 4.5, 4.6

Patches

Patch: bugzilla.redhat.comPatch: git.kernel.orgPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-3mfq-6299-p3w3: A flaw was found in the Linux kernels implementation of MIDI (kernel 52022-05-24
OSV
CVE-2020-27786: In several functions of rawmidi2021-05-01
OSV
CVE-2020-27786: A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to m2020-12-11
CVEList
CVE-2020-27786: A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to m2020-12-11

📋Vendor Advisories

2
Red Hat
kernel: use-after-free in kernel midi subsystem2020-12-02
Debian
CVE-2020-27786: linux - A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker...2020