CVE-2024-50302
Published: 19 November 2024
Summary
CVE-2024-50302 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 PE-19 (Information Leakage) and SC-4 (Information in Shared System Resources).
Deeper analysis
The vulnerability is a use of an uninitialized buffer in the Linux kernel HID subsystem. Specifically, the HID core allocated a report buffer without zeroing its contents, allowing subsequent use by various HID drivers to potentially expose kernel memory through specially crafted reports. The issue is tracked as CVE-2024-50302 with a CVSS score of 5.5 and is assigned CWE-908.
A local attacker with the ability to interact with HID devices can exploit the flaw by supplying a crafted report that causes the uninitialized buffer contents to be returned to user space. Successful exploitation results in disclosure of sensitive kernel memory while requiring low attack complexity and no user interaction.
The provided references point to upstream kernel commits that resolve the issue by ensuring the report buffer is explicitly zero-initialized at allocation time. These patches have been backported across multiple stable kernel branches.
EPSS scores remain low, with a current value of 0.0221 and a peak of only 0.0278.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44804
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it…
more
can't be ever used to leak kernel memory via specially-crafted report.
- CWE(s)
- KEV Date Added
- 04 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents unintended information transfer from kernel memory via uninitialized shared buffers allocated for HID reports.
Requires controls to stop system information leakage through data structures such as the HID report buffer.
Enforces process/kernel isolation boundaries that limit the ability of a local HID device to read raw kernel memory contents.