CVE-2024-57912: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57912 is a vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically affecting the zpa2326 pressure sensor driver. The vulnerability was discovered and disclosed in January 2025, affecting Linux kernel versions from 4.9 up to versions before 6.1.125, 6.2 to 6.6.72, and 6.7 to 6.12.10 (NVD).

The vulnerability stems from an uninitialized memory structure in the zpa2326 pressure sensor driver. Specifically, the 'sample' local struct, which is used to push data to user space from a triggered buffer, contains a gap between the temperature and timestamp fields (u32 pressure, u16 temperature, GAP, u64 timestamp). This gap is never initialized before being sent to userspace, potentially leaking kernel memory information. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability could lead to information disclosure, potentially revealing sensitive kernel memory contents to local users. This could allow attackers to gather information about the system's state or potentially aid in other attacks. The high CVSS score reflects the significant potential for information disclosure and availability impact (NVD).

The vulnerability has been fixed by initializing the struct to zero before using it, preventing the information leak. The fix has been implemented in various kernel versions through patches. Debian has released fixes in versions 5.10.234-1 for bullseye and 6.1.128-1 for bookworm (Debian Tracker).