CVE-2024-47671: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47671 addresses a kernel-usb-infoleak vulnerability in the Linux kernel's USB Test and Measurement Class (USBTMC) driver. The vulnerability was discovered by syzbot and reported on September 8, 2024. The issue affects Linux kernel versions from 4.20 up to versions before 6.1.112, 6.6.53, and 6.10.12 (NVD).

The vulnerability exists in the usbtmcwrite function where a structure was not properly cleared before filling fields, potentially leading to information leakage. The issue stems from using kmalloc() instead of kzalloc() in the usbtmccreate_urb() function. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to information disclosure through kernel memory leakage in the USB Test and Measurement Class driver. This could potentially expose sensitive kernel memory contents to local attackers (NVD).

The vulnerability has been patched by replacing kmalloc() with kzalloc() to ensure memory is zeroed before use. The fix has been implemented across multiple kernel versions and distributions. Ubuntu has released fixes for versions 24.10, 24.04 LTS, 22.04 LTS, and 20.04 LTS (Ubuntu).