CVE-2024-50302
HID: core: zero-initialize the report buffer
In short
The Linux kernel's HID (Human Interface Device) driver doesn't clear its memory buffer when created, potentially allowing sensitive kernel data to leak through specially crafted device reports. This could expose confidential information from the system's memory.
Technical detail
A use-after-free or uninitialized memory condition in the HID core driver's report buffer allocation allows information disclosure of kernel memory contents. The vulnerability requires a malicious or compromised HID device to send specially crafted reports; the impact is limited to confidentiality as uninitialized buffer data may be exposed to userspace via HID event streams.
Summary generated and translated by AI from the official description.
In the Linux kernel, the following vulnerability has been resolved:
HID: core: zero-initialize the report buffer
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Linux · LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/html/ssa-265688.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-355557.htmlhttps://git.kernel.org/stable/c/05ade5d4337867929e7ef664e7ac8e0c734f1aafhttps://git.kernel.org/stable/c/177f25d1292c7e16e1199b39c85480f7f8815552https://git.kernel.org/stable/c/1884ab3d22536a5c14b17c78c2ce76d1734e8b0bhttps://git.kernel.org/stable/c/3f9e88f2672c4635960570ee9741778d4135ecf5https://git.kernel.org/stable/c/492015e6249fbcd42138b49de3c588d826dd9648https://git.kernel.org/stable/c/9d9f5c75c0c7f31766ec27d90f7a6ac673193191https://git.kernel.org/stable/c/d7dc68d82ab3fcfc3f65322465da3d7031d4ab46https://git.kernel.org/stable/c/e7ea60184e1e88a3c9e437b3265cbb6439aa7e26https://lists.debian.org/debian-lts-announce/2025/01/msg00001.htmlhttps://lists.debian.org/debian-lts-announce/2025/03/msg00002.html