CVE-2024-57905: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57905 is a vulnerability discovered in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the TI-ADS1119 ADC driver. The vulnerability was identified on January 19, 2025, and affects Linux kernel versions from 6.11 up to (excluding) 6.12.10. The issue involves an information leak in the triggered buffer functionality where uninitialized data could be exposed to userspace (NVD).

The vulnerability stems from a structural hole between the 'sample' (unsigned int) field and the timestamp in the 'scan' local struct, which is used to push data from a triggered buffer to userspace. This gap in the structure was never initialized before being sent to userspace, potentially leaking kernel memory contents. The issue has been assigned a CVSS v3.1 base score of 7.1 (High), with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The vulnerability is classified as CWE-908 (Use of Uninitialized Resource) (NVD).

The vulnerability could allow local users with appropriate privileges to access uninitialized kernel memory contents through the TI-ADS1119 ADC driver interface. This information leak could potentially expose sensitive data from the kernel space (NVD).

The vulnerability has been fixed by initializing the struct to zero using memset before using it to push data to userspace. The fix was implemented in the Linux kernel through commit 75f339d3ecd38cb1ce05357d647189d4a7f7ed08. Users should upgrade to Linux kernel version 6.12.10 or later to address this vulnerability (Kernel Patch).