CVE-2024-57911
Published: 19 January 2025
Summary
CVE-2024-57911 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and applying the kernel patch that replaces kmalloc with kzalloc to zero-initialize the data buffer and prevent uninitialized memory disclosure.
Prevents unauthorized information transfer via shared kernel-userspace buffers, such as the IIO dummy triggered buffer, by enforcing isolation to block leaks of uninitialized kernel memory.
Protects kernel memory from unauthorized disclosure to userspace, directly addressing the leak of uninitialized data in inactive channels of the triggered buffer.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local uninitialized kernel memory disclosure via IIO dummy buffer directly enables collection of sensitive data from the local system.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer The 'data' array is allocated via kmalloc() and it is used to push data to user space from a triggered buffer,…
more
but it does not set values for inactive channels, as it only uses iio_for_each_active_channel() to assign new values. Use kzalloc for the memory allocation to avoid pushing uninitialized information to userspace.
Deeper analysisAI
CVE-2024-57911 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically affecting the dummy driver's iio_simply_dummy_buffer component. The flaw occurs because the 'data' array is allocated using kmalloc() to push data from a triggered buffer to userspace, but it only assigns values to active channels via iio_for_each_active_channel(), leaving inactive channels uninitialized. This can result in uninitialized kernel memory being exposed to userspace. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and is classified under CWE-908 (Use of Uninitialized Resource).
A local attacker with low privileges (PR:L) can exploit this vulnerability by accessing the affected IIO dummy triggered buffer. Exploitation requires local access and low complexity with no user interaction. Successful attacks enable high confidentiality impact through leakage of uninitialized data and high availability impact, within an unchanged security scope.
Mitigation involves applying upstream kernel patches that replace kmalloc() with kzalloc() for the 'data' array allocation, ensuring zero-initialization of inactive channels. Relevant stable branch commits include: https://git.kernel.org/stable/c/006073761888a632c5d6f93e47c41760fa627f77, https://git.kernel.org/stable/c/03fa47621bf8fcbf5994c5716021527853f9af3d, https://git.kernel.org/stable/c/333be433ee908a53f283beb95585dfc14c8ffb46, https://git.kernel.org/stable/c/74058395b2c63c8a438cf199d09094b640f8c7f4, and https://git.kernel.org/stable/c/b0642d9c871aea1f28eb02cd84d60434df594f67.
Details
- CWE(s)