Information Leak in Linux Kernel's VCNL4035 Light Sensor
CVE-2024-57910

7.1HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 19 January 2025

Summary

A vulnerability exists in the Linux kernel's handling of the VCNL4035 light sensor, where a local buffer used for data transfer to userspace is at risk of leaking uninitialized data. Specifically, if the buffer is not properly initialized before use, it may contain remnants of previous data, potentially exposing sensitive information. This issue arises from the failure to set an initial value for the buffer's data elements, resulting in at least 4 bytes of uninitialized data after reading an integer value. To mitigate this vulnerability, it is crucial to zero-initialize the buffer prior to its application in data transfer.

Affected Version(s)

Linux da8ef748fec2d55db0ae424ab40eee0c737564aa < 13e56229fc81051a42731046e200493c4a7c28ff

Linux 49739675048d372946c1ef136c466d5675eba9f0

Linux ec90b52c07c0403a6db60d752484ec08d605ead0

References

https://git.kernel.org/stable/c/13e56229fc81051a42731046e...

https://git.kernel.org/stable/c/b0e9c11c762e4286732d80e66...

https://git.kernel.org/stable/c/cb488706cdec0d6d13f2895bc...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 19, 2025
Vulnerability Reserved
Jan 19, 2025