CVE-2024-53076: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2024-53076) was discovered in the Linux kernel's IIO (Industrial I/O) subsystem. The issue affects the iiogtsbuildavailscale_table() function in the gts-helper component. The vulnerability was disclosed on November 19, 2024, and affects Linux kernel versions from 6.4 up to (excluding) 6.6.60 and from 6.7 up to (excluding) 6.11.7 (NVD).

The vulnerability occurs in the error handling path of iiogtsbuildavailscaletable() function. When pertimescales[i] or pertimegains[i] kcalloc fails in the function's for loop, the errfreeout label fails to properly free memory when i is reduced to 0. This results in pertimescales[0] and pertime_gains[0] not being freed, causing memory leaks. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to memory leaks in the Linux kernel when the affected IIO subsystem component is used. While there is no impact on confidentiality or integrity, the availability of the system could be affected due to the accumulation of leaked memory over time (NVD).

The vulnerability has been fixed by modifying the error handling path to check if i >= 0 in the loop condition, ensuring proper memory cleanup. The fix has been implemented in the Linux kernel and is available through various distribution updates. Users should update their Linux kernel to versions that include the fix (Kernel Patch).