CVE-2024-50198

Nov. 29, 2024, 8:31 p.m.

5.5
Medium

Description

In the Linux kernel, the following vulnerability has been resolved: iio: light: veml6030: fix IIO device retrieval from embedded device The dev pointer that is received as an argument in the in_illuminance_period_available_show function references the device embedded in the IIO device, not in the i2c client. dev_to_iio_dev() must be used to accessthe right data. The current implementation leads to a segmentation fault on every attempt to read the attribute because indio_dev gets a NULL assignment. This bug has been present since the first appearance of the driver, apparently since the last version (V6) before getting applied. A constant attribute was used until then, and the last modifications might have not been tested again.

Product(s) Impacted

Vendor Product Versions
Linux
  • Linux Kernel
  • *, 6.12

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-476
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel 6.12 rc1 / / / / / /
o linux linux_kernel 6.12 rc2 / / / / / /
o linux linux_kernel 6.12 rc3 / / / / / /

References

https://git.kernel.org/stable/c/2cbb41abae65626736b8b52cf3b9339612c5a86a
https://git.kernel.org/stable/c/50039aec43a82ad2495f2d0fb0c289c8717b4bb2
https://git.kernel.org/stable/c/905166531831beb067fffe2bdfc98031ffe89087
https://git.kernel.org/stable/c/bcb90518ccd9e10bf6ab29e31994aab93e4a4361
https://git.kernel.org/stable/c/bf3ab8e1c28f10df0823d4ff312f83c952b06a15
https://git.kernel.org/stable/c/c7c44e57750c31de43906d97813273fdffcf7d02

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
CWE-476
2024-11-08
CVE-2024-50198

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Nov. 8, 2024, 6:15 a.m.
Last Modified: Nov. 29, 2024, 8:31 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.