Linux Kernel Information Leak Vulnerability in IIO Light VCNL4035 Driver

Vulnerability

A vulnerability has been identified in the Linux kernel's IIO light VCNL4035 driver, where the local 'buffer' array used to transfer data to userspace from a triggered buffer does not initialize its single data element, a u16 aligned to 8 bytes. This oversight leaves at least 4 bytes uninitialized, even after an integer value is read using regmap_read(). The vulnerability could lead to an information leak by sending uninitialized data to userspace. The issue has been addressed by initializing the array to zero before use.

Impact

Exploitation of this vulnerability could result in an information leak, allowing uninitialized data to be sent to userspace.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Information Leak Vulnerability in IIO Light VCNL4035 Driver

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating