CVE-2024-57907
Published: 19 January 2025
Summary
CVE-2024-57907 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely patching of the rockchip_saradc driver to initialize the data structure and prevent uninitialized kernel memory disclosure to userspace.
Implements memory protections such as bounds checking and confinement to minimize disclosure risks from uninitialized resources like the local data struct in the triggered buffer.
Prevents unauthorized information transfer via shared kernel-userspace resources, such as the triggered buffer where inactive channels leak uninitialized memory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel info leak via uninitialized buffer directly enables local data extraction from system memory.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: iio: adc: rockchip_saradc: fix information leak in triggered buffer The 'data' local struct is used to push data to user space from a triggered buffer, but it does not set…
more
values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace.
Deeper analysisAI
CVE-2024-57907 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the rockchip_saradc Analog-to-Digital Converter (ADC) driver. The issue arises in the handling of triggered buffers, where a local 'data' structure is used to push ADC readings to userspace. This structure is not fully initialized, as the code only assigns values to active channels via iio_for_each_active_channel(), leaving values for inactive channels uninitialized. As a result, uninitialized kernel memory can be exposed to userspace, classified under CWE-908 (Use of Uninitialized Resource). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges, such as a standard user on the system, can exploit this flaw with low complexity and no user interaction required. By triggering the ADC buffer read operation, the attacker can obtain sensitive data from uninitialized portions of kernel memory through the inactive channels in the userspace buffer. This leads to high confidentiality impact by leaking potentially sensitive kernel information, alongside a high availability impact that could result from related memory handling issues.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes available at git.kernel.org. These patches initialize the 'data' structure to zero before use, preventing the leak of uninitialized memory. Security practitioners should update affected Linux kernels, particularly those using the rockchip_saradc driver on Rockchip-based systems, and monitor for backported fixes in downstream distributions.
Details
- CWE(s)