CVE-2024-57910

HIGH

Linux Kernel < 5.4.290 - Use of Uninitialized Resource

Title source: rule

Description

In the Linux kernel, the following vulnerability has been resolved: iio: light: vcnl4035: fix information leak in triggered buffer The 'buffer' local array is used to push data to userspace from a triggered buffer, but it does not set an initial value for the single data element, which is an u16 aligned to 8 bytes. That leaves at least 4 bytes uninitialized even after writing an integer value with regmap_read(). Initialize the array to zero before using it to avoid pushing uninitialized information to userspace.

References (9)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

[Patch] https://git.kernel.org/stable/c/13e56229fc81051a42731046e200493c4a7c28ff

[Patch] https://git.kernel.org/stable/c/47b43e53c0a0edf5578d5d12f5fc71c019649279

[Patch] https://git.kernel.org/stable/c/47d245be86492974db3aeb048609542167f56518

[Patch] https://git.kernel.org/stable/c/a15ea87d4337479c9446b5d71616f4668337afed

[Patch] https://git.kernel.org/stable/c/b0e9c11c762e4286732d80e66c08c2cb3157b06b

[Patch] https://git.kernel.org/stable/c/cb488706cdec0d6d13f2895bcdf0c32b283a7cc7

[Patch] https://git.kernel.org/stable/c/f6fb1c59776b4263634c472a5be8204c906ffc2c

Scores

CVSS v3 7.1

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-908

Status published

Products (2)

linux/linux_kernel 6.13 rc1 (6 CPE variants)

linux/linux_kernel 5.4.132 - 5.4.290

Published Jan 19, 2025

Tracked Since Feb 18, 2026