Known Exploited Vulnerability
7.8
HIGH
CVE-2024-53150
Linux Kernel Out-of-Bounds Read Vulnerability - [Actively Exploited]
Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

INFO

Published Date :

Dec. 24, 2024, 12:15 p.m.

Last Modified :

April 10, 2025, 3:39 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.8
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://lore.kernel.org/linux-cve-announce/2024122427-CVE-2024-53150-3a7d@gregkh/ ; https://source.android.com/docs/security/bulletin/2025-04-01 ; https://nvd.nist.gov/vuln/detail/CVE-2024-53150

Public PoC/Exploit Available at Github

CVE-2024-53150 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-53150 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-53150.

URL Resource
https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f Patch
https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b Patch
https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 Patch
https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Patch
https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd Patch
https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 Patch
https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 Patch
https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
CryptoGenNepal/CVE-KEV-RSS

CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild and CryptoGen Nepal aims to simplify this for the general public in a more understandable way as well as in a format that can be easily integrated into their threat intelligence systems.

cve json rss cgn cisa kev

Python HTML

Updated: 6 days, 8 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 16, 2025, 5:21 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-53150 vulnerability anywhere in the article.

  • The Hacker News
⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More

Attackers aren't waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched ... Read more

Published Date: Apr 14, 2025 (2 days, 7 hours ago)
CVE-2025-3439 CVE-2025-31565 CVE-2025-2636 CVE-2025-3102 CVE-2025-29824 CVE-2024-48887 CVE-2024-11859 CVE-2025-30401 CVE-2025-2244 CVE-2025-30406 ...+10 more CVE
  • Daily CyberSecurity
Critical Vulnerability (CVE-2025-31498) Patched in c-ares DNS Library

The Domain Name System (DNS) plays a pivotal role, translating human-friendly domain names into the numerical IP addresses that computers understand. And at the heart of many applications facilitating ... Read more

Published Date: Apr 11, 2025 (5 days, 18 hours ago)
CVE-2024-12556 CVE-2025-32406 CVE-2025-31498 CVE-2025-30406 CVE-2025-20115 CVE-2024-43707 CVE-2024-53197 CVE-2024-53150 CVE-2024-37144 CVE-2024-37143 ...+9 more CVE
  • Cyber Security News
CISA Warns of Linux USB-Audio Driver Out-of-Bounds Vulnerability Exploited in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added two significant Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog yesterday, confirming both flaws ... Read more

Published Date: Apr 10, 2025 (6 days, 10 hours ago)
CVE-2024-53197 CVE-2024-53150 CVE-2024-53104
  • TheCyberThrone
CISA adds Two Linux Kernel bugs to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Linux kernel vulnerabilities, CVE-2024-53150 and CVE-2024-53197, to its Known Exploited Vulnerabilities (KEV) Catalog ... Read more

Published Date: Apr 10, 2025 (6 days, 15 hours ago)
CVE-2024-53197 CVE-2024-53150 CVE-2024-53104 CVE-2024-50302
  • Daily CyberSecurity
CISA Warns of Actively Exploited Linux Kernel Vulnerabilities (CVE-2024-53197, CVE-2024-53150)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning after adding two newly discovered Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, co ... Read more

Published Date: Apr 10, 2025 (6 days, 16 hours ago)
CVE-2024-12556 CVE-2025-32406 CVE-2025-30406 CVE-2025-20115 CVE-2024-43707 CVE-2024-53197 CVE-2024-53150 CVE-2024-37144 CVE-2024-37143 CVE-2024-53104 ...+8 more CVE
  • Dark Reading
2 Android Zero-Day Bugs Under Active Exploit

Source: Yuen Man Cheung via Alamy Stock PhotoNEWS BRIEFGoogle has patched 62 vulnerabilities in Android, including two zero-days that are actively being exploited in attacks, tracked as CVE-2024-53197 ... Read more

Published Date: Apr 08, 2025 (1 week ago)
CVE-2024-53197 CVE-2024-53150 CVE-2024-53104 CVE-2024-50302
  • TheCyberThrone
Google Android Security Update April 2025

The April 2025 Android security update is a comprehensive effort by Google to enhance the security of Android devices worldwide. By addressing 62 vulnerabilities, including two actively exploited zero ... Read more

Published Date: Apr 08, 2025 (1 week, 1 day ago)
CVE-2025-20156 CVE-2024-53197 CVE-2024-53150 CVE-2024-53104 CVE-2024-50302
  • Cyber Security News
Google Patched Android 0-Day Vulnerability Exploited in the Wild

Google has released its April 2025 Android Security Bulletin, addressing numerous critical vulnerabilities including two zero-day flaws actively exploited in targeted attacks. This marks the third con ... Read more

Published Date: Apr 08, 2025 (1 week, 1 day ago)
CVE-2024-53197 CVE-2024-53150
  • The Hacker News
Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities

Mobile Security / Vulnerability Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild. The two high-severity vulnerabilities are listed below - CVE-20 ... Read more

Published Date: Apr 08, 2025 (1 week, 1 day ago)
CVE-2024-53197 CVE-2024-53150 CVE-2024-53104 CVE-2024-50302
  • BleepingComputer
Google fixes Android zero-days exploited in attacks, 60 other flaws

Google has released patches for 62 vulnerabilities in Android's April 2025 security update, including two zero-days exploited in targeted attacks. One of the zero-days, a high-severity privilege escal ... Read more

Published Date: Apr 07, 2025 (1 week, 2 days ago)
CVE-2024-53197 CVE-2024-53150 CVE-2024-53104 CVE-2024-50302 CVE-2024-43047

The following table lists the changes that have been made to the CVE-2024-53150 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Apr. 10, 2025

    Action Type Old Value New Value
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Apr. 10, 2025

    Action Type Old Value New Value
    Added Date Added 2025-04-09
    Added Due Date 2025-04-30
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Linux Kernel Out-of-Bounds Read Vulnerability
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Apr. 07, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-125
  • Initial Analysis by [email protected]

    Jan. 07, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
    Added CWE NIST CWE-125
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 5.4.287 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.231 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.174 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.120 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.64 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.11.11 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.12 up to (excluding) 6.12.2
    Changed Reference Type https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f No Types Assigned https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f Patch
    Changed Reference Type https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b No Types Assigned https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b Patch
    Changed Reference Type https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 No Types Assigned https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6 No Types Assigned https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd No Types Assigned https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd Patch
    Changed Reference Type https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 No Types Assigned https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 Patch
    Changed Reference Type https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 No Types Assigned https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 Patch
    Changed Reference Type https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d No Types Assigned https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d Patch
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Dec. 24, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.
    Added Reference https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f
    Added Reference https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b
    Added Reference https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77
    Added Reference https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6
    Added Reference https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd
    Added Reference https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9
    Added Reference https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9
    Added Reference https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-53150 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-53150 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: