The Cybersecurity and Infrastructure Security Agency (CISA) has added two significant Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog yesterday, confirming both flaws are being actively weaponized in targeted attacks.

Federal agencies have been mandated to patch affected systems by April 30, 2025, as these exploits form part of a sophisticated zero-day chain reportedly used to unlock confiscated Android devices.

Linux Kernel Out-of-Bounds Access Vulnerability: CVE-2024-53197

This high-severity flaw (CVSS 7.1) stems from improper validation of the bNumConfigurations value in the USB-audio driver’s handling of ALSA (Advanced Linux Sound Architecture) devices. 

Attackers with physical access can exploit it by connecting a malicious USB device, such as a forged audio interface, to trigger out-of-bounds memory accesses.

A malicious USB device providing a bNumConfigurations value exceeding the initial allocation in usb_get_configuration leads to memory corruption in usb_destroy_configuration. This allows arbitrary code execution, system crashes, or privilege escalation.

The affected systems include Linux kernels up to version 6.12.1, particularly those using Extigy and Mbox USB audio devices.

The vulnerability is fixed in kernel versions 6.12.2 and later. Major distributions like Ubuntu and Debian have released updates.

Linux Kernel Out-of-Bounds Read Vulnerability: CVE-2024-53150 

This information disclosure flaw (CVSS 7.1) occurs due to insufficient validation of the bLength field in USB-audio clock descriptors. Local attackers with elevated privileges can exploit it to read kernel memory, potentially exposing encryption keys or credentials.

The driver fails to verify the bLength of clock selector descriptors (UAC2/UAC3), leading to out-of-bounds reads when parsing maliciously crafted USB descriptors.

Affected systems include Linux kernels from 5.4 to 6.12.1, including Android devices.

The vulnerability is addressed in kernel versions 5.15.0-305.176.4.el9uek (Oracle) and 6.12.2. Google’s April 2025 Android security update includes the fix.

These vulnerabilities are reportedly part of a larger exploit chain including the previously identified CVE-2024-53104 allegedly developed by digital forensics vendor Cellebrite and used by law enforcement agencies to forcibly unlock Android devices. 

The exploits were discovered during a forensic investigation by Amnesty International’s Security Lab while analyzing logs from devices unlocked by Serbian police.

The summary of the vulnerabilities is given below:

CVEsAffected ProductsImpactExploit PrerequisitesCVSS 3.1 ScoreCVE-2024-53197Linux kernel ALSA USB-audio driver (Extigy, Mbox devices; kernels ≤6.12.1)Privilege escalation, arbitrary code executionPhysical access, malicious USB device7.8 (High)CVE-2024-53150Linux kernel ALSA USB-audio driver (kernels 5.4–6.12.1, Android)Information disclosure Local access, privileged permissions7.1 (High)

Mitigation 

CISA mandates federal agencies to:

Apply vendor-provided kernel updates immediately.

Restrict USB device permissions to authorized hardware.

Monitor logs for unusual USB activity.

For enterprises:

Cloud Services: Follow BOD 22-01 guidance for AWS, Azure, and GCP instances.

Android Devices: Install Google’s April 2025 security patch (over 62 fixes included).

The USB attack surface remains an underestimated threat vector for mobile devices, as demonstrated by this trio of zero-days. CVE-2024-53150 specifically can leak memory content from kernel space to user space, potentially exposing encryption keys or credentials.

CISA’s directive requires agencies to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Organizations using Linux systems, particularly those with USB peripherals, should apply available patches immediately and consider implementing additional USB device restrictions until systems are fully secured. 

System administrators should also monitor for suspicious USB device connections as a potential indicator of compromise.

Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial