CVE-2024-58020: HID: multitouch: Add NULL check in mt_input_configured
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Add NULL check in mt_input_configured
devm_kasprintf() can return a NULL pointer on failure,but this
returned value in mt_input_configured() is not checked.
Add NULL check in mt_input_configured(), to handle kernel NULL
pointer dereference error.
Security readout for executives and security teams
Plain-English summary
CVE-2024-58020 is a Linux kernel flaw in the HID multitouch driver. If an internal string allocation fails, the driver may dereference a NULL pointer and crash kernel code. The source bundle does not provide CVSS, confirmed exploitation, or a detailed attack path.
Executive priority
Treat this as a routine kernel reliability and availability fix unless your environment has high-risk Linux endpoints, kiosks, appliances, or unmanaged kernels. No source in the bundle confirms active exploitation, but kernel crashes can still affect service availability.
Technical view
The flaw is in mt_input_configured(), where devm_kasprintf() may return NULL and the result was not checked before use. Upstream stable commits add a NULL check to handle allocation failure. Based on the supplied description, the likely impact is kernel NULL pointer dereference, commonly resulting in denial of service.
Likely exposure
Exposure is most relevant to Linux systems running affected kernel builds with the HID multitouch driver path present. The bundle names Linux as the affected product but does not define distribution-specific exposure beyond Debian LTS advisories and upstream stable references.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of active exploitation or public weaponization. It also does not specify whether exploitation requires local access, physical device interaction, malicious hardware, or another trigger condition.
Researcher notes
The supplied evidence supports a missing allocation-failure check in the Linux HID multitouch driver. Severity, CWE, CVSS, preconditions, and exploitability are not provided. Research should focus on affected kernel lineage, backport status, and whether realistic allocation-failure paths can be externally influenced.
Mitigation direction
Check vendor kernel advisories for CVE-2024-58020 applicability.
Update to a kernel build containing the referenced stable fix.
Prioritize Debian LTS systems using the cited Debian advisories.
Track embedded or appliance vendors that ship Linux kernels.
Avoid assuming Siemens exposure without reviewing the linked advisories.
Validation and detection
Inventory Linux kernel versions across servers, endpoints, and appliances.
Check whether vendor kernels include the HID multitouch NULL-check fix.
Review Debian LTS advisory status for maintained Debian systems.
Confirm whether affected systems expose HID multitouch functionality.
Document systems awaiting vendor-fixed kernel packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-58020 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
2ADP providers
13Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 27, 2025, 02:18 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.