CVE-2024-57906

CVE-2024-57906 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the ti-ads8688 analog-to-digital converter (ADC) driver. The issue arises in the triggered buffer handling, where a local 'buffer' array used to push data to userspace is not fully initialized. While the driver assigns values only to active channels via iio_for_each_active_channel(), inactive channels retain uninitialized memory contents, which are then exposed to userspace. This flaw, classified under CWE-908 (Use of Uninitialized Resource), carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. By triggering buffer reads on the affected driver, the attacker can obtain sensitive uninitialized kernel memory leaked through inactive channels, achieving high confidentiality impact. The high availability impact likely stems from potential kernel instability or denial-of-service effects during exploitation attempts.

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 1c80a0985a9a, 2a7377ccfd94, 3bf8d1e87939, 455df95eb8b2, and 485570ed82b7. These commits initialize the buffer array to zero before use, preventing the leak of uninitialized data to userspace. Security practitioners should update affected Linux kernels promptly, particularly those using the ti-ads8688 driver in embedded or industrial environments.