CVE-2024-44931

gpio: prevent potential speculation leaks in gpio_device_get_desc()

Description

In the Linux kernel, the following vulnerability has been resolved: gpio: prevent potential speculation leaks in gpio_device_get_desc() Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/18504710442671b02d00e6db9804a0ad26c5a479
https://git.kernel.org/stable/c/9ae2d8e75b741dbcb0da374753f972410e83b5f3
https://git.kernel.org/stable/c/9d682e89c44bd5819b01f3fbb45a8e3681a4b6d0
https://git.kernel.org/stable/c/c65ab97efcd438cb4e9f299400f2ea55251f3a67
https://git.kernel.org/stable/c/672c19165fc96dfad531a5458e0b3cdab414aae4
https://git.kernel.org/stable/c/1b955f786a4bcde8c0ccb2b7d519def2acb6f3cc patch
https://git.kernel.org/stable/c/d776c0486b03a5c4afca65b8ff44573592bf93bb patch
https://git.kernel.org/stable/c/d795848ecce24a75dfd46481aee066ae6fe39775 patch

Frequently Asked Questions

What is the severity of CVE-2024-44931?
CVE-2024-44931 has been scored as a medium severity vulnerability.
How to fix CVE-2024-44931?
To fix CVE-2024-44931, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-44931 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-44931 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-44931?
CVE-2024-44931 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.