CVE-2025-39690:

Uninitialized stack data leak in Linux kernel's IIO accel sca3300 driver

Score
A numerical rating that indicates how dangerous this vulnerability is.

5.5Medium

Published Date:Sep 5, 2025
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:6%

Exploitability

Score:1.8
Attack Vector:LOCAL
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:NONE
Integrity Impact:NONE
Availability Impact:HIGH

Description Preview

Uninitialized stack data leak in Linux kernel's IIO accel sca3300 driver

Overview

The vulnerability affects the Linux kernel's IIO subsystem, specifically the accelerometer driver for the SCA3300 device. The root cause of the issue was the failure to initialize the 'channels' array before its utilization, which could lead to the exposure of uninitialized stack data to userspace. This type of vulnerability can be exploited by malicious actors to gain access to sensitive information that may be present in the uninitialized memory. The severity of the issue depends on the nature of the data that could potentially be leaked, but it represents a security risk that needed to be addressed promptly.

Remediation

The vulnerability has been resolved by implementing a fix that ensures the 'channels' array is properly zeroed before use. This preventive measure eliminates the possibility of leaking uninitialized stack data to userspace. System administrators and users are strongly advised to update their Linux kernel to the latest version that includes this security patch. It is crucial to follow the standard kernel update procedures for your specific distribution to apply the fix effectively. Additionally, it is recommended to review and apply any other security updates that may be available for your system to maintain overall security posture.