CVE-2024-50198: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50198 affects the Linux kernel's VEML6030 ambient light sensor driver. The vulnerability was discovered in November 2024 and involves an incorrect device pointer handling in the IIO (Industrial I/O) subsystem. The issue affects Linux kernel versions from 5.5 through 6.11.5, including various release candidates of version 6.12 (NVD).

The vulnerability stems from incorrect device pointer handling in the inilluminanceperiodavailableshow function of the VEML6030 driver. The dev pointer received as an argument references the device embedded in the IIO device, not in the i2c client, requiring the use of devtoiio_dev() to access the correct data. The implementation leads to a NULL pointer dereference, resulting in a segmentation fault on every attempt to read the attribute. This issue has been classified with a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a segmentation fault when attempting to read the illuminance period attribute, causing a denial of service condition. The bug affects the functionality of the VEML6030 ambient light sensor, potentially disrupting systems that rely on this sensor for light measurements (Kernel Patch).

The issue has been fixed in the Linux kernel through a patch that correctly retrieves the IIO device using devtoiio_dev(). The fix has been backported to multiple stable kernel versions. Users should update to patched kernel versions that include the fix (Kernel Patch).