Cyber Resilience

CVE-2024-50302

MediumCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 19 November 2024

Published
19 November 2024
Modified
12 May 2026
KEV Added
04 March 2025
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0221 84.8th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50302 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-19 (Information Leakage) and SC-4 (Information in Shared System Resources).

Deeper analysis

The vulnerability is a use of an uninitialized buffer in the Linux kernel HID subsystem. Specifically, the HID core allocated a report buffer without zeroing its contents, allowing subsequent use by various HID drivers to potentially expose kernel memory through specially crafted reports. The issue is tracked as CVE-2024-50302 with a CVSS score of 5.5 and is assigned CWE-908.

A local attacker with the ability to interact with HID devices can exploit the flaw by supplying a crafted report that causes the uninitialized buffer contents to be returned to user space. Successful exploitation results in disclosure of sensitive kernel memory while requiring low attack complexity and no user interaction.

The provided references point to upstream kernel commits that resolve the issue by ensuring the report buffer is explicitly zero-initialized at allocation time. These patches have been backported across multiple stable kernel branches.

EPSS scores remain low, with a current value of 0.0221 and a peak of only 0.0278.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it…

more

can't be ever used to leak kernel memory via specially-crafted report.

CWE(s)
KEV Date Added
04 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
all versions
debian
debian linux
11.0
siemens
simatic s7-1500 tm mfp firmware
all versions
siemens
sinec os
≤ 3.2
linux
linux kernel
6.12 · 3.12 — 4.19.324 · 4.20 — 5.4.286 · 5.5 — 5.10.230

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents unintended information transfer from kernel memory via uninitialized shared buffers allocated for HID reports.

prevent

Requires controls to stop system information leakage through data structures such as the HID report buffer.

prevent

Enforces process/kernel isolation boundaries that limit the ability of a local HID device to read raw kernel memory contents.

References