CVE-2024-57906: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57906 is a vulnerability in the Linux kernel's TI-ADS8688 ADC driver that was discovered and disclosed on January 19, 2025. The vulnerability affects multiple versions of the Linux kernel, from version 4.19.198 through 6.13-rc6. The issue resides in the ti-ads8688 driver's triggered buffer functionality, where uninitialized data could potentially be exposed to userspace (NVD).

The vulnerability stems from a local array named 'buffer' that is used to push data to userspace from a triggered buffer in the TI-ADS8688 ADC driver. The issue occurs because the code only sets values for active channels using iio_for_each_active_channel(), leaving values for inactive channels uninitialized. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating local access requirements with high confidentiality and availability impacts (NVD).

The vulnerability could lead to information disclosure as uninitialized kernel memory might be exposed to userspace through the uninitialized buffer values for inactive channels. This could potentially allow local users to access sensitive information from kernel memory (NVD).

The vulnerability has been fixed by initializing the buffer array to zero before use, preventing the leak of uninitialized information to userspace. The fix has been implemented across multiple kernel versions, and updated versions are available through various distribution channels. Debian has released fixes in versions 5.10.234-1 for bullseye and 6.1.128-1 for bookworm (Debian).