U.S. CISA adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
U.S. CISA adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog April 10, 2025

U.S. CISA adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Linux Kernel flaws, respectively tracked as CVE-2024-53197 and CVE-2024-53150, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability CVE-2024-53197 (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver affecting Extigy and Mbox devices, where incorrect handling of USB configuration data could lead to out-of-bounds memory access. Specifically, the issue involved the bNumConfigurations field provided by connected USB devices. If this value was set higher than the allocated configuration space in memory, later kernel operations interacting with this data could access memory beyond its intended bounds. This posed a risk of memory corruption or system instability. The flaw has now been addressed by validating the configuration count before it is used, ensuring the kernel does not access memory outside of the allocated region.

The vulnerability CVE-2024-53150 (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver, where the driver failed to validate the bLength field in USB audio clock descriptors during traversal. This oversight allowed a malicious or misconfigured USB device to supply a descriptor with a shorter-than-expected bLength, potentially leading to out-of-bounds reads.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 30, 2025.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws, respectively tracked as CVE-2025-30406 and CVE-2025-29824, to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)




Source link