CVE-2020-0427

kernel: out-of-bounds reads in pinctrl subsystem.

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171

En la función create_pinctrl del archivo core.c, se presenta una posible lectura fuera de límites debido a un uso de la memoria previamente liberada. Esto podría conllevar a una divulgación de información local sin ser necesarios privilegios de ejecución adicionales. No es requerida una interacción del usuario para su explotación. Producto: Android, Versiones: kernel de Android, ID de Android: A-140550171

A flaw was found in the Linux pinctrl system. It is possible to trigger an of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed.

Elena Petrova discovered that the pin controller device tree implementation in the Linux kernel did not properly handle string references. A local attacker could use this to expose sensitive information. Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered that legacy pairing and secure-connections pairing authentication in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. A physically proximate attacker could use this to impersonate a previously paired Bluetooth device. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-10-17 CVE Reserved
2020-09-17 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html	Mailing List
https://www.starwindsoftware.com/security/sw-20210325-0005	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://source.android.com/security/bulletin/pixel/2020-09-01	2022-10-25

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html	2022-10-25
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00021.html	2022-10-25
https://access.redhat.com/security/cve/CVE-2020-0427	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1919893	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				-		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build12533, vsphere		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build12658, vsphere		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build12859, vsphere		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build13170, vsphere		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build13586, vsphere		Affected
Starwindsoftware Search vendor "Starwindsoftware"		Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San"				v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8"		build13861, vsphere		Affected