Linux Kernel USB Audio Driver Out-of-Bounds Read Vulnerability
CVE-2024-53150 Published on December 24, 2024
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.
Known Exploited Vulnerability
This Linux Kernel Out-of-Bounds Read Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.
The following remediation steps are recommended / required by April 30, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2024-53150 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Products Associated with CVE-2024-53150
You can be notified by stack.watch whenever vulnerabilities like CVE-2024-53150 are published in these products:
What versions are vulnerable to CVE-2024-53150?
-
Linux Kernel
Version 6.12
Fixed in Version 6.12.2
-
Linux Kernel
Version 6.7
Fixed in Version 6.11.11
-
Linux Kernel
Version 5.16
Fixed in Version 6.1.120
-
Linux Kernel
Version 5.11
Fixed in Version 5.15.174
-
Linux Kernel
Version 5.5
Fixed in Version 5.10.231
-
Linux Kernel
Version 6.2
Fixed in Version 6.6.64
-
Linux Kernel
Fixed in Version 5.4.287