LiveActive security incident?Get immediate response
CVE Record

CVE-2024-58020: HID: multitouch: Add NULL check in mt_input_configured

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt_input_configured() is not checked. Add NULL check in mt_input_configured(), to handle kernel NULL pointer dereference error.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-58020 is a Linux kernel flaw in the HID multitouch driver. If an internal string allocation fails, the driver may dereference a NULL pointer and crash kernel code. The source bundle does not provide CVSS, confirmed exploitation, or a detailed attack path.

Executive priority

Treat this as a routine kernel reliability and availability fix unless your environment has high-risk Linux endpoints, kiosks, appliances, or unmanaged kernels. No source in the bundle confirms active exploitation, but kernel crashes can still affect service availability.

Technical view

The flaw is in mt_input_configured(), where devm_kasprintf() may return NULL and the result was not checked before use. Upstream stable commits add a NULL check to handle allocation failure. Based on the supplied description, the likely impact is kernel NULL pointer dereference, commonly resulting in denial of service.

Likely exposure

Exposure is most relevant to Linux systems running affected kernel builds with the HID multitouch driver path present. The bundle names Linux as the affected product but does not define distribution-specific exposure beyond Debian LTS advisories and upstream stable references.

Exploitation context

The bundle marks KEV as false and provides no cited evidence of active exploitation or public weaponization. It also does not specify whether exploitation requires local access, physical device interaction, malicious hardware, or another trigger condition.

Researcher notes

The supplied evidence supports a missing allocation-failure check in the Linux HID multitouch driver. Severity, CWE, CVSS, preconditions, and exploitability are not provided. Research should focus on affected kernel lineage, backport status, and whether realistic allocation-failure paths can be externally influenced.

Mitigation direction

  • Check vendor kernel advisories for CVE-2024-58020 applicability.
  • Update to a kernel build containing the referenced stable fix.
  • Prioritize Debian LTS systems using the cited Debian advisories.
  • Track embedded or appliance vendors that ship Linux kernels.
  • Avoid assuming Siemens exposure without reviewing the linked advisories.

Validation and detection

  • Inventory Linux kernel versions across servers, endpoints, and appliances.
  • Check whether vendor kernels include the HID multitouch NULL-check fix.
  • Review Debian LTS advisory status for maintained Debian systems.
  • Confirm whether affected systems expose HID multitouch functionality.
  • Document systems awaiting vendor-fixed kernel packages.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-58020 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
13Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxdf7ca43fe090e1a56c216c8ebc106ef5fd49afc6, 15ec7cb55e7d88755aa01d44a7a1015a42bfce86, dde88ab4e45beb60b217026207aa9c14c88d71ab, 2763732ec1e68910719c75b6b896e11b6d3d622b, 4794394635293a3e74591351fff469cea7ad15a2, 4794394635293a3e74591351fff469cea7ad15a2, 4794394635293a3e74591351fff469cea7ad15a2, 4794394635293a3e74591351fff469cea7ad15a2, ac0d389402a6ff9ad92cea02c2d8c711483b91ab, 39c70c19456e50dcb3abfe53539220dff0490f1d, 1d7833db9fd118415dace2ca157bfa603dec9c8c, b70ac7849248ec8128fa12f86e3655ba38838f29, 5.4.257, 5.10.195, 5.15.132, 6.1.53, 4.14.326, 4.19.295, 6.4.16, 6.5.3unaffected
LinuxLinux6.6, 0, 5.4.291, 5.10.235, 5.15.179, 6.1.129, 6.6.79, 6.12.16, 6.13.4, 6.14affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.