When CVSS Scores Don’t Tell the Full Story: The Case of CVE-2024-50302

Use the following links to track the status of patches for CVE-2024-50302 for KernelCare and Endless Lifecycle Support. All patches for all supported and affected distributions will be made available shortly.

Introduction

The cybersecurity community has been closely monitoring CVE-2024-50302, a Linux kernel vulnerability that, despite its moderate CVSS score of 5.5, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This addition highlights an important reality in vulnerability management: CVSS scores, while valuable, don’t always reflect the true threat potential of a vulnerability in real-world scenarios.

Understanding CVE-2024-50302

CVE-2024-50302 is a vulnerability in the Linux kernel’s Human Interface Devices (HID) driver that allows attackers to potentially leak kernel memory through uninitialized report buffers. The technical description is straightforward – the HID report buffer wasn’t being zero-initialized during allocation, creating an opportunity for information disclosure.

The vulnerability was patched in November 2024 with a simple fix: zero-initializing the report buffer during allocation to prevent potential kernel memory leaks. Google included this fix in their Android March 2025 security update.

Beyond the Numbers: Real-World Impact

While MITRE assigned CVE-2024-50302 a CVSS v3 score of 5.5 (Medium), Red Hat elevated this to 6.1 in their advisory. This discrepancy itself signals something important – vendors closer to implementation often have better visibility into practical exploit scenarios.

What makes this vulnerability particularly noteworthy is its confirmed exploitation in the wild. According to reports from Amnesty International, this vulnerability was likely leveraged by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist. This represents a significant privacy and human rights concern, especially given the broader context of surveillance against civil society in Serbia.

The Cellebrite Connection

The exploitation of CVE-2024-50302 appears to be part of a larger pattern. Google’s Security Lab had previously provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading to the identification of three vulnerabilities, including CVE-2024-50302.

Cellebrite’s UFED (Universal Forensic Extraction Device) suite is designed to extract data from mobile devices, even without access to device passcodes – capabilities that make such tools valuable to law enforcement but potentially dangerous when misused for targeting activists, journalists, or political opponents.

The situation escalated to the point where, in February 2025, Cellebrite announced it would halt product use by certain customers in Serbia following Amnesty International’s report on surveillance abuses.

CISA’s KEV Listing: A Critical Signal

CISA’s addition of CVE-2024-50302 to its Known Exploited Vulnerabilities (KEV) catalog sends a clear message to organizations: this vulnerability requires immediate attention, regardless of its moderate CVSS score.

This exemplifies why vulnerability management strategies cannot rely solely on CVSS scores for prioritization. While scoring systems provide a standardized way to assess severity, they don’t account for factors like:

• Active exploitation in the wild
• Availability of exploit code
• Strategic value to specific threat actors
• Ease of exploitation
• Potential for chaining with other vulnerabilities

Lessons for Security Teams

The case of CVE-2024-50302 offers several important lessons for security practitioners:

1. Look beyond the CVSS score: Prioritize vulnerabilities based on a holistic threat assessment that includes real-world exploitation status.

2. Monitor authoritative sources: CISA’s KEV catalog, vendor-specific advisories, and threat intelligence reports often provide crucial context that numerical scores cannot capture.

3. Consider the full attack chain: This vulnerability demonstrates how seemingly moderate flaws can become critical when used as part of a sophisticated exploit chain.

4. Understand the human impact: Security vulnerabilities can have real-world consequences for privacy, human rights, and civil liberties – factors that aren’t reflected in technical scoring systems.

Final Thoughts

CVE-2024-50302 serves as a reminder that effective vulnerability management requires looking beyond numerical scores to understand the actual risk posed by security flaws. When a vulnerability appears on CISA’s KEV list or is linked to active exploitation by tools like Cellebrite, security teams should treat it with heightened urgency regardless of its CVSS score.

For organizations running Linux kernel-based systems, particularly Android devices, patching this vulnerability should be considered a high priority, especially given its demonstrated exploitation in targeted surveillance operations.

Sources:

https://www.amnesty.org/en/latest/news/2025/02/cellebrite-halts-product-use-in-serbia-following-amnesty-surveillance-report/

https://securityaffairs.com/174923/security/u-s-cisa-adds-linux-kernel-and-vmware-esxi-and-workstation-flaws-to-its-known-exploited-vulnerabilities-catalog.html

https://access.redhat.com/security/cve/cve-2024-50302

Summary

Article Name

The Case of CVE-2024-50302

Description

Use the following links to track the status of patches for CVE-2024-50302 for KernelCare and Endless Lifecycle Support. Read More

Author

Joao Correia

Publisher Name

TuxCare

Publisher Logo