CVE-2024-57910
Published: 19 January 2025
Summary
CVE-2024-57910 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through application of kernel patches that initialize the buffer array, preventing uninitialized kernel memory disclosure to userspace.
Prevents unauthorized disclosure of information in shared system resources like the triggered buffer used to push sensor data to userspace, addressing the uninitialized bytes leak.
Implements memory protection mechanisms that can restrict access to kernel stack memory, reducing the risk of information disclosure from uninitialized resources in drivers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory disclosure via uninitialized buffer in vcnl4035 driver directly enables reading sensitive data from the local system.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an…
more
initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.
Deeper analysisAI
CVE-2024-57910 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the vcnl4035 light sensor driver. The issue arises in the triggered buffer handling where a local 'buffer' array, used to push data to userspace, fails to fully initialize its u16 data element aligned to 8 bytes. Even after writing an integer value via regmap_read(), at least 4 bytes remain uninitialized, potentially leaking kernel stack memory to userspace. The vulnerability is classified under CWE-908 (Use of Uninitialized Resource) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the buffer read operation in the vcnl4035 driver. Successful exploitation allows the attacker to read uninitialized kernel memory, achieving high confidentiality impact through information disclosure. The CVSS vector also indicates high availability impact, though the root cause is tied to the uninitialized data leak.
Mitigation involves applying the upstream kernel patches referenced in the stable commit logs, such as those at https://git.kernel.org/stable/c/13e56229fc81051a42731046e200493c4a7c28ff and similar URLs, which initialize the buffer array to zero before use. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)