Linux Kernel Vulnerabilities Added to CISA’s KEV Catalog: CVE-2024-53197 and CVE-2024-53150

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that these previously theoretical security risks are now confirmed threats being actively exploited by malicious actors. This development demands immediate attention from Linux administrators and security professionals.

The vulnerabilities in question, CVE-2024-53197 and CVE-2024-53150, both received CVSS scores of 7.8 and affect the Linux kernel’s ALSA USB-audio driver. Federal Civilian Executive Branch (FCEB) agencies are now required to patch these vulnerabilities by April 30, 2025, under Binding Operational Directive (BOD) 22-01. Other organizations are strongly advised to follow suit.

Understanding the Vulnerabilities

CVE-2024-53197: Out-of-Bounds Memory Access in USB-Audio Driver

This vulnerability specifically affects Extigy and Mbox devices and involves incorrect handling of USB configuration data. The issue stems from the bNumConfigurations field provided by connected USB devices. If this value exceeds the allocated configuration space in memory, subsequent kernel operations could access memory beyond its intended bounds.

The technical details reveal that when a malicious or misconfigured USB device provides a bNumConfigurations value higher than what was allocated in usb_get_configuration for dev->config, it can lead to out-of-bounds memory access during later operations such as usb_destroy_configuration. This poses significant risks of memory corruption or system instability.

The fix implemented validates the configuration count before use, ensuring the kernel doesn’t access memory outside of allocated regions.

CVE-2024-53150: Out-of-Bounds Reads in Clock Descriptor Traversal

The second vulnerability relates to the Linux kernel’s ALSA USB-audio driver failing to validate the bLength field in USB audio clock descriptors during traversal. Without proper validation, a malicious or misconfigured USB device could supply a descriptor with a shorter-than-expected bLength, potentially triggering out-of-bounds reads.

The patch introduces sanity checks to validator functions for clock descriptor traversal. When a descriptor’s length is shorter than expected, it’s now skipped in the loop. For clock source and multiplier descriptors, the fix implements a check against the sizeof() each descriptor type. The clock selector descriptor required additional checks due to its more complex structure containing an array of bNrInPins elements and additional fields.

The Broader Context: Kernel Vulnerability Reporting Explosion

These new KEV additions come amid an unprecedented surge in Linux kernel CVEs, creating significant challenges for security teams attempting to prioritize patches and mitigations. The dramatic increase correlates directly with the Linux kernel team becoming a CVE Numbering Authority (CNA) in 2024 and adopting an approach of assigning CVEs to almost all bugs:

• 2022: 309 total kernel CVEs
• 2023: 290 total kernel CVEs
• 2024: 3,887 total kernel CVEs (after becoming a CNA)
• 2025: 1,476 kernel CVEs in just the first three months

This more than 13-fold increase from 2023 to 2024 has created what can be described as “CVE fatigue,” making it increasingly difficult to separate truly critical vulnerabilities from less severe issues.

Implications for Security Teams

The addition of these vulnerabilities to CISA’s KEV catalog marks a critical distinction. While thousands of kernel vulnerabilities are disclosed annually, inclusion in the KEV list confirms these particular flaws are being actively exploited in the wild. This shifts them from theoretical risks to immediate threats requiring prompt attention.

For organizations already struggling with the flood of kernel CVEs, this further strains limited resources. Security teams must now:

1. Identify affected systems in their environment
2. Prioritize patching based on exposure and criticality
3. Implement mitigations for systems that cannot be immediately patched
4. Monitor for exploitation attempts using the now-public vulnerability details
5. Opt for a different approach regarding patching methodology and choose rebootless patching technology like TuxCare’s KernelCare Enterprise that can patch without disruption

Recommended Actions

Immediate Steps

1. Identify Vulnerable Systems: Conduct an inventory to identify Linux systems that may be affected, particularly those with USB peripherals connected.
2. Apply Available Patches: Update to kernel versions containing the fixes for these vulnerabilities. The patches have been backported to maintained kernel branches.
3. Implement USB Device Controls: Where patching isn’t immediately possible, consider limiting or restricting USB device connections, particularly on servers and critical systems.
4. Monitor for Suspicious Activity: Enhance monitoring for unusual system behavior, particularly related to USB device connections and disconnections.

Long-Term Strategy for Managing the CVE Flood

1. Risk-Based Vulnerability Management: Develop a framework that prioritizes vulnerabilities based on actual risk to your environment rather than attempting to patch everything.
2. Modernize Patch Management: Invest in solutions that can automate the patching of vulnerabilities as they become known, without requiring downtime or service disruption, like rebootless live patching.
3. Defense-in-Depth Approaches: Implement additional security controls that can mitigate exploitation even when vulnerabilities exist.
4. Engage with the Community: Participate in Linux security forums and discussions to stay informed about which vulnerabilities truly matter.

Final Thoughts

The addition of these Linux kernel vulnerabilities to CISA’s KEV catalog underscores the real-world threats they pose. While the explosive growth in kernel CVEs presents challenges for security teams, focusing on vulnerabilities confirmed to be under active exploitation provides a clearer prioritization signal.

As the Linux kernel project continues its more comprehensive CVE assignment approach, security professionals must adapt by developing more sophisticated vulnerability management strategies that focus on risk rather than attempting to address every reported issue.

For Linux-centric organizations, these developments reinforce the need for dedicated resources focused on kernel security and highlight the ongoing tension between comprehensive vulnerability disclosure and practical security operations.

Summary

Article Name

Linux Kernel Vulnerabilities: CVE-2024-53197, CVE-2024-53150

Description

Two Linux kernel vulnerabilities were added to Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-53197 and CVE-2024-53150. Learn more

Author

Joao Correia

Publisher Name

TuxCare

Publisher Logo