PT-2025-3637 · Linux+7 · Linux Kernel+7
Javier Carrasco
·
Published
2024-12-07
·
Updated
2025-10-03
·
CVE-2024-57912
CVSS v3.1
7.1
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.74
Description
A vulnerability has been resolved in the Linux kernel. The issue is related to the
iio: pressure: zpa2326 component, where the local sample struct is used to push data to user space from a triggered buffer. However, this struct has a hole between the temperature and the timestamp, which is never initialized. This could lead to sending uninitialized information to user space. The struct should be initialized to zero before use to avoid this issue.Recommendations
For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider initializing the
sample struct to zero before using it to push data to user space. Restrict access to the triggered buffer to minimize the risk of exploitation until the update is applied.Exploit
Fix
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu