Vulnerability Details : CVE-2019-20636
In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.
Vulnerability category: Memory Corruption
Products affected by CVE-2019-20636
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_8300:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_8700:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h610c:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:h615c:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_baseboard_management_controller_a220:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_baseboard_management_controller_a320:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_baseboard_management_controller_a800:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_baseboard_management_controller_c190:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:fas_a400:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-20636
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-20636
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
6.7
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.8
|
5.9
|
NIST |
CWE ids for CVE-2019-20636
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-20636
-
https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html
[SECURITY] [DLA 2241-2] linux security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html
[SECURITY] [DLA 2241-1] linux security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200430-0004/
April 2020 Linux Kernel Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.12
Release Notes;Vendor Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb222aed03d798fc074be55e59d9a112338ee784
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Vendor Advisory
-
https://github.com/torvalds/linux/commit/cb222aed03d798fc074be55e59d9a112338ee784
Input: add safety guards to input_set_keycode() · torvalds/linux@cb222ae · GitHubPatch;Third Party Advisory
Jump to