CVE-2024-53104
Published: 02 December 2024
Summary
CVE-2024-53104 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an out-of-bounds write in the Linux kernel's uvcvideo driver within the media subsystem. It stems from uvc_parse_format failing to account for frames of type UVC_VS_UNDEFINED when uvc_parse_streaming calculates the required size of the frames buffer, allowing writes beyond allocated memory. The issue affects systems exposing UVC-compliant video devices to the kernel's USB video class implementation and carries a CVSS score of 7.8 with CWE-787.
A local attacker with low privileges can trigger the flaw by supplying a maliciously crafted UVC video stream or device descriptor, leading to arbitrary memory corruption with high impact on confidentiality, integrity, and availability. No user interaction or elevated permissions are required, and the attack occurs in kernel context during device enumeration or format parsing.
The referenced stable kernel commits (including 1ee9d9122801, 467d84dc78c9, and 575a562f7a3e) implement the fix by explicitly skipping UVC_VS_UNDEFINED frames during parsing, and corresponding updates have been merged into supported mainline and distribution kernels.
EPSS currently stands at 0.1803 with no documented public exploitation at the time of disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51776
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating…
more
the size of the frames buffer in uvc_parse_streaming.
- CWE(s)
- KEV Date Added
- 05 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input (UVC frame descriptors) before parsing, preventing the missing UVC_VS_UNDEFINED case that caused the out-of-bounds write.
Mandates timely application of the upstream kernel patch that skips UVC_VS_UNDEFINED frames in uvc_parse_format, eliminating the vulnerable code path.
Provides memory-protection mechanisms that can block or contain the memory corruption resulting from the out-of-bounds write in the uvcvideo driver.