Linux Kernel USB Audio Driver Out-of-Bounds Read Vulnerability
CVE-2024-53150 Published on December 24, 2024
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors. That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.
For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal. When the descriptor
length is shorter than expected, it's skipped in the loop.
For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.
Known Exploited Vulnerability
This Linux Kernel Out-of-Bounds Read Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.
The following remediation steps are recommended / required by April 30, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2024-53150 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Weakness Type
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Products Associated with CVE-2024-53150
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-53150 are published in these products:
Affected Versions
Linux:- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below a632bdcb359fd8145e86486ff8612da98e239acd is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below da13ade87a12dd58829278bc816a61bea06a56a9 is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below 74cb86e1006c5437b1d90084d22018da30fddc77 is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below ea0fa76f61cf8e932d1d26e6193513230816e11d is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below 096bb5b43edf755bc4477e64004fa3a20539ec2f is affected.
- Version b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a and below a3dd4d63eeb452cfb064a13862fb376ab108f6a6 is affected.
- Version 9feeaa50e5b4b0b71259d918a36ecf9059e60796 is affected.
- Version 3b17a13b687ae99939dc94a4ae01fbc34f68decc is affected.
- Version 5.4 is affected.
- Before 5.4 is unaffected.
- Version 5.4.287, <= 5.4.* is unaffected.
- Version 5.10.231, <= 5.10.* is unaffected.
- Version 5.15.174, <= 5.15.* is unaffected.
- Version 6.1.120, <= 6.1.* is unaffected.
- Version 6.6.64, <= 6.6.* is unaffected.
- Version 6.11.11, <= 6.11.* is unaffected.
- Version 6.12.2, <= 6.12.* is unaffected.
- Version 6.13, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.