Cyber Resilience

CVE-2024-53150

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 December 2024

Published
24 December 2024
Modified
04 November 2025
KEV Added
09 April 2025
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0112 78.7th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53150 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 21.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2024-53150 is an out-of-bounds read (CWE-125) in the Linux kernel ALSA USB-audio driver. It stems from missing validation of the bLength field while traversing clock source, clock multiplier, and clock selector descriptors, so a USB device presenting a shorter-than-expected descriptor can cause the driver to read past the end of the allocated structure.

A local attacker who can attach or emulate a malicious USB audio device is able to trigger the flaw, resulting in disclosure of adjacent kernel memory or a crash that produces a denial of service; the reported CVSS 7.1 vector reflects local access with low complexity and no user interaction.

The five referenced stable kernel commits (096bb5b43edf, 45a92cbc88e4, 74cb86e1006c, a3dd4d63eeb4, a632bdcb359f) mitigate the issue by adding explicit length checks against sizeof the descriptor types plus, for UAC2/UAC3 selectors, the variable bNrInPins array and trailing fields, causing any undersized descriptor to be skipped.

EPSS remains low, moving only from 0.0112 to a peak of 0.0186.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when…

more

a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

CWE(s)
KEV Date Added
09 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

debian
debian linux
11.0
linux
linux kernel
≤ 5.4.287 · 5.5 — 5.10.231 · 5.11 — 5.15.174

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input data (here, USB descriptor bLength and bNrInPins fields) before parsing, which is exactly the missing check that enabled the out-of-bounds read.

prevent

Restricts which I/O devices and ports may be used, allowing an organization to block or whitelist only trusted USB audio devices before a crafted descriptor can be presented to the driver.

prevent

Enforces least functionality by disabling or removing the ALSA usb-audio driver when USB audio devices are not required, eliminating the vulnerable code path entirely.

References