CVE-2024-57910
Published: 19 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.
Security Summary
CVE-2024-57910 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the vcnl4035 light sensor driver. The issue arises in the triggered buffer handling where a local 'buffer' array, used to push data to userspace, fails to fully initialize its u16 data element aligned to 8 bytes. Even after writing an integer value via regmap_read(), at least 4 bytes remain uninitialized, potentially leaking kernel stack memory to userspace. The vulnerability is classified under CWE-908 (Use of Uninitialized Resource) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the buffer read operation in the vcnl4035 driver. Successful exploitation allows the attacker to read uninitialized kernel memory, achieving high confidentiality impact through information disclosure. The CVSS vector also indicates high availability impact, though the root cause is tied to the uninitialized data leak.
Mitigation involves applying the upstream kernel patches referenced in the stable commit logs, such as those at https://git.kernel.org/stable/c/13e56229fc81051a42731046e200493c4a7c28ff and similar URLs, which initialize the buffer array to zero before use. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)