CVE-2024-57908

CVE-2024-57908 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the kmx61 inertial measurement unit (IMU) driver. The issue arises in the triggered buffer handling where a local 'buffer' array is used to push data to userspace. This array is not fully initialized, as the code only assigns values via iio_for_each_active_channel(), leaving values for inactive channels uninitialized. As a result, uninitialized kernel stack memory can be leaked to userspace. The vulnerability is rated with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-908 (Use of Uninitialized Resource).

A local attacker with low privileges can exploit this vulnerability by interacting with the kmx61 driver through the IIO interface, such as by setting up a triggered buffer and reading the output. Successful exploitation allows disclosure of sensitive uninitialized kernel memory to userspace, potentially exposing kernel internals that could aid in further attacks. The CVSS metrics indicate high confidentiality impact from the leak, with high availability impact possibly stemming from related mishandling, though the primary effect is the information disclosure.

Mitigation is provided through upstream Linux kernel patches available in stable releases, as documented in the referenced commits. These patches initialize the 'buffer' array to zero before use, ensuring that inactive channels do not leak uninitialized data. Security practitioners should apply the relevant stable kernel updates, such as those at https://git.kernel.org/stable/c/0871eb8d700b33dd7fa86c80630d62ddaef58c2c and similar commits, to affected systems using the kmx61 driver.