CVE-2024-53150: Linux Kernel Out-of-Bounds Read Vulnerability

Published Dec 24, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads.

For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop.

For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

Other sources

Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.

CISA

This CVE was automatically created from a reference found in an email or other text. If you are reading this, then this CVE entry is probably erroneous, since this text should be replaced by the official CVE description automatically.

Launchpad

Affected Software

15 affected componentsFixes available
Linux Kernel
debian/linux<=5.10.223-1
5.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
debian/linux-6.1
6.1.129-1~deb11u1
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance -Identity Manager software component<=ISVG 10.0.2
IBM Security Verify Governance -Identity Manager virtual appliance component<=ISVG 10.0.2
Google Android
Linux Linux kernel<5.4.287
Linux Linux kernel>=5.5<5.10.231
Linux Linux kernel>=5.11<5.15.174
Linux Linux kernel>=5.16<6.1.120
Linux Linux kernel>=6.2<6.6.64
Linux Linux kernel>=6.7<6.11.11
Linux Linux kernel>=6.12<6.12.2
Debian Debian Linux=11.0

Remediation

Patch Available

https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f

Patch Available

https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b

Patch Available

https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77

Patch Available

https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6

Patch Available

https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd

Patch Available

https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9

Patch Available

https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9

Patch Available

https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d

Information

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Event History

Nov 6, 2023
News Published
02:01 PM
Jan 8, 2024
News Published
07:27 AM
Apr 15, 2024
News Published
01:58 AM
May 27, 2024
News Published
02:59 AM
Jun 10, 2024
News Published
12:30 PM
Aug 5, 2024
News Published
02:00 AM
Sep 16, 2024
News Published
02:30 AM
Sep 23, 2024
News Published
12:50 AM
Dec 9, 2024
News Published
03:01 AM
Dec 24, 2024
CVE Published
via MITRE·11:28 AM
Data Sourced
via MITRE·11:28 AM
Description
Data Sourced
via Red Hat·12:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·12:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 20, 2025
Data Sourced
via Launchpad·12:52 AM
Description
Apr 7, 2025
Data Sourced
via Android·12:00 AM
SeverityWeaknessAffected Software
News Published
via BleepingComputer·05:55 PM
News Published
via BleepingComputer·05:57 PM
Apr 9, 2025
Known Exploited
via CISA·12:00 AM
Apr 14, 2025
News Published
05:35 AM
Apr 29, 2025
Data Sourced
via Ubuntu·01:11 AM
RemedyDescriptionSeverityAffected Software
May 26, 2025
News Published
via The Register·04:28 AM
News Published
via The Register·04:32 AM
Aug 27, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Aug 4, 57777
Event
via NVD·02:52 PM

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-53150?

CVE-2024-53150 has been classified as a moderate severity vulnerability due to the potential for out of bounds reads in the Linux kernel.

2

How do I fix CVE-2024-53150?

To fix CVE-2024-53150, you should update your Linux kernel to a version that is not affected by this vulnerability.

3

Which Linux kernel versions are affected by CVE-2024-53150?

CVE-2024-53150 affects Linux kernel versions from 5.4.0 up to, but not including, 5.5.0, and certain versions up to 6.12.2.

4

What component of the Linux kernel is impacted by CVE-2024-53150?

CVE-2024-53150 impacts the ALSA USB audio driver within the Linux kernel.

5

Is CVE-2024-53150 actively exploited in the wild?

As of now, there is no public knowledge of CVE-2024-53150 being actively exploited.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203