CVE-2024-57911: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57911 addresses an information leak vulnerability in the Linux kernel's IIO (Industrial I/O) dummy driver's triggered buffer functionality. The vulnerability was discovered in January 2025 and affects Linux kernel versions from 4.5 through 6.13-rc6. The issue exists in the iiosimplydummy_buffer component where uninitialized memory could be exposed to userspace (NVD).

The vulnerability stems from improper memory initialization in the IIO dummy driver's triggered buffer implementation. Specifically, the 'data' array is allocated using kmalloc() and used to push data to userspace, but it only sets values for active channels through iioforeachactivechannel(), leaving inactive channels uninitialized. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating local access requirements with potential for high confidentiality and availability impacts (NVD).

The vulnerability could allow an attacker with local access to read uninitialized kernel memory through inactive channels in the IIO dummy driver's triggered buffer. This information leak could potentially expose sensitive kernel data to unauthorized users (NVD).

The vulnerability has been patched by replacing kmalloc() with kzalloc() for the memory allocation, ensuring that all memory is zeroed before use. The fix has been implemented in the Linux kernel through commit 333be433ee908a53f283beb95585dfc14c8ffb46 and has been backported to various stable kernel versions (Kernel Patch).