Cyber Resilience

CVE-2024-53197

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 December 2024

Published
27 December 2024
Modified
04 November 2025
KEV Added
09 April 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0204 84.2th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53197 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 15.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is an out-of-bounds write (CWE-787) in the Linux kernel ALSA usb-audio driver affecting Extigy and Mbox devices. A malicious or bogus USB device can supply a bNumConfigurations value larger than the size initially allocated by usb_get_configuration for dev->config, leading to subsequent out-of-bounds accesses such as those in usb_destroy_configuration.

A local attacker with the ability to attach a crafted USB device can trigger the flaw without user interaction, resulting in potential arbitrary code execution or memory corruption with high impact on confidentiality, integrity, and availability.

The referenced stable kernel commits (0b4ea4bfe165, 379d3b9799d9, 62dc01c83fa7, 920a369a9f01, and 9887d859cd60) contain the fix that prevents the oversized configuration value from causing later accesses beyond the allocated buffer.

EPSS remains low, with a current score of 0.0204 and a peak of only 0.0241.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config.…

more

This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.

CWE(s)
KEV Date Added
09 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
2.6.12 — 4.19.325 · 4.20 — 5.4.287 · 5.5 — 5.10.231
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (bNumConfigurations from a USB device descriptor) before it is used to size kernel structures, preventing the oversized value that triggers later OOB accesses.

prevent

Enforces memory protection mechanisms that can detect or block the out-of-bounds reads/writes in usb_get_configuration and usb_destroy_configuration that result from the malformed USB descriptor.

prevent

Restricts logical access to USB ports and I/O devices, limiting the ability of an attacker-supplied bogus audio device to reach the vulnerable ALSA usb-audio configuration parsing code.

References