CVE-2024-50198 is a vulnerability identified in the Linux kernel specifically affecting the Industrial I/O (IIO) subsystem driver for the VEML6030 ambient light sensor. The issue arises from improper handling of device pointers within the function in_illuminance_period_available_show. The function incorrectly references the device embedded in the IIO device rather than the i2c client device, leading to an erroneous NULL assignment when attempting to retrieve the IIO device structure via dev_to_iio_dev(). This results in a segmentation fault whenever the affected attribute is read. The root cause is a logic error in the pointer dereferencing and device retrieval mechanism, which has existed since the driver’s inception, including the last major version before this fix was applied. The vulnerability does not appear to have been exploited in the wild yet, and no CVSS score has been assigned. The impact is primarily a denial-of-service condition caused by the kernel crash (segmentation fault) when the attribute is accessed, which could affect systems relying on this sensor driver. The vulnerability is present in Linux kernel versions identified by the commit hash 7b779f573c48e1ad6da1d6ea5f181f3ecd666bf6 and presumably other versions containing the same driver code. The fix involves correctly using dev_to_iio_dev() to access the proper device data structure, preventing the NULL pointer dereference and consequent crash.

For European organizations, the impact of CVE-2024-50198 is primarily related to system stability and availability. Systems running Linux kernels with the vulnerable VEML6030 light sensor driver could experience kernel panics or crashes when the affected attribute is read, potentially causing denial of service. This could disrupt operations in environments where embedded Linux devices with this sensor are used, such as industrial automation, IoT deployments, or specialized hardware relying on ambient light sensing for functionality or power management. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could be significant in critical infrastructure or manufacturing sectors where uptime is essential. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the fault. European organizations using custom or embedded Linux distributions that include this driver should be aware of potential disruptions. The impact is less severe for general-purpose desktop or server Linux installations unless they specifically include this sensor driver and hardware.

To mitigate CVE-2024-50198, European organizations should: 1) Identify Linux systems that include the VEML6030 sensor driver, particularly embedded or IoT devices using this hardware. 2) Apply the official Linux kernel patches that correct the device pointer handling in the in_illuminance_period_available_show function as soon as they become available in stable kernel releases or backported to their distribution kernels. 3) For systems where patching the kernel is not immediately feasible, consider disabling or blacklisting the VEML6030 driver module to prevent the vulnerable code from executing, if the sensor is not critical to operations. 4) Monitor system logs for kernel oops or segmentation faults related to IIO device attributes to detect attempted exploitation or accidental triggering. 5) Engage with hardware vendors and embedded system providers to ensure updated firmware or kernel versions are deployed. 6) Incorporate this vulnerability into vulnerability management and patching workflows, prioritizing embedded Linux devices in operational technology environments. These steps go beyond generic advice by focusing on identifying affected hardware, applying kernel-level fixes, and operational monitoring specific to this sensor driver vulnerability.