A vulnerability was found in the video driver in Kernel where there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. References: https://source.android.com/security/bulletin/pixel/2019-09-01
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1819379]
This was fixed for Fedora in the 4.18.12 stable kernel update.
Mitigation: To mitigate this issue, prevent modules v4l2-common, v4l2-dv-timings from being loaded if not being used for primary display. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Statement: This issue is rated as having Moderate impact, because of the need of additional privileges (usually local console user) to access the video device driver.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9458
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609