Cyber Resilience

CVE-2024-57904

High

Published: 19 January 2025

Published
19 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57904 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57904 is a vulnerability in the Linux kernel's Industrial I/O (IIO) ADC AT91 driver, specifically within the at91_ts_register() function. The issue arises because the current implementation calls input_free_device() on st->ts_input during error handling, but the error label (err) can be reached before the allocated iio_dev is assigned to st->ts_input. This leads to improper cleanup of the input device. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service through potential memory corruption or crashes stemming from the mishandled device freeing.

Mitigation involves applying the patches from the referenced kernel stable commits, such as https://git.kernel.org/stable/c/028a1ba8e3bae593d701aee4f690ce7c195b67d6 and others listed, which correct the input_free_device() call to target the local 'input' variable instead of st->ts_input on the error path. Security practitioners should update affected Linux kernel versions accordingly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91: call input_free_device() on allocated iio_dev Current implementation of at91_ts_register() calls input_free_deivce() on st->ts_input, however, the err label can be reached before the allocated iio_dev is stored to…

more

st->ts_input. Thus call input_free_device() on input instead of st->ts_input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory corruption bug directly enables privilege escalation via exploitation of the driver flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 3.16 — 5.4.290 · 5.5 — 5.10.234 · 5.11 — 5.15.177

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper input device cleanup flaw in the AT91 driver by requiring timely patching of the Linux kernel vulnerability.

detect

Vulnerability scanning identifies the presence of CVE-2024-57904 in affected Linux kernel versions for prioritization of remediation.

prevent

Memory protection mechanisms mitigate potential exploitation of the mishandled device freeing leading to corruption or crashes.

References