Linux Kernel Out-of-Bounds Access Vulnerability (CVE-2024-53197)
Linux Kernel contains an out-of-bounds access vulnerability in the USB-audio driver that allows an attacker with physical access to the system to use a malicious USB device to potentially manipulate system memory, escalate privileges, or execute arbitrary code.
A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-04-30 under CISA BOD 22-01.
This is a Out-of-bounds Write (CWE-787) vulnerability in Linux Kernel. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-04-09 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-04-30.
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.