CVE-2024-57908: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57908 is an information leak vulnerability discovered in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the kmx61 IMU driver. The vulnerability was disclosed on January 19, 2025, affecting Linux kernel versions from 4.0 up to versions before 6.1.125, 6.6.72, and 6.12.10. The issue occurs in the triggered buffer functionality where uninitialized data could be exposed to userspace due to improper handling of inactive channels (NVD).

The vulnerability stems from a local array named 'buffer' that is used to push data to userspace from a triggered buffer in the kmx61 IMU driver. The issue arises because the code only uses iioforeachactivechannel() to assign new values but does not set values for inactive channels, potentially exposing uninitialized memory contents. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating local access requirements with high impact on confidentiality and availability (NVD).

The vulnerability could lead to the exposure of sensitive kernel memory contents to userspace through uninitialized buffer values, potentially revealing sensitive information. This information leak could be leveraged by local attackers to gain insights into kernel memory layout or sensitive data, compromising system security (NVD).

The vulnerability has been patched by initializing the buffer array to zero before use. The fix has been implemented across multiple Linux kernel versions. Users are advised to upgrade to Linux kernel versions 6.1.125, 6.6.72, 6.12.10 or later. The patch involves a simple initialization of the buffer array using '{ }' to ensure all elements are zeroed before use (Kernel Patch).