Use of uninitialized resource in Linux kernel soc qcom

Published: 2024-06-10 | Updated: 2025-05-13

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-26799
CWE-ID	CWE-908
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of uninitialized resource

EUVDB-ID: #VU91679

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26799

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the lpass_cdc_dma_daiops_trigger() function in sound/soc/qcom/lpass-cdc-dma.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.6 - 6.8 rc5

CPE2.3

External links

https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf
https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b
https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.21
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.7.9
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.