CVE-2024-57910

HIGH

Linux Kernel 5.4.132-5.4.290 - Information Disclosure via Uninitialized Buffer in vcnl4035 Light Sensor Driver

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.

References (9)

Core 9

Scores

CVSS v3 7.1
EPSS 0.0021
EPSS Percentile 10.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-908
Status published
Products (24)
Linux/Linux < 5.14
Linux/Linux 4637815d7922c4bce3bacb13dd1fb5e9a7d167d8
Linux/Linux 49739675048d372946c1ef136c466d5675eba9f0 - b0e9c11c762e4286732d80e66c08c2cb3157b06b
Linux/Linux 5.10.234 - 5.10.*
Linux/Linux 5.10.50 - 5.10.234
Linux/Linux 5.12.17 - 5.13
Linux/Linux 5.13.2 - 5.14
Linux/Linux 5.14
Linux/Linux 5.15.177 - 5.15.*
Linux/Linux 5.4.132 - 5.4.290
... and 14 more
Published Jan 19, 2025
Tracked Since Feb 18, 2026