CVE-2024-50302

Linux Kernel Use of Uninitialized Resource Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.

A vulnerability was found in the Linux kernel's driver for Human Interface Devices. This flaw allows an attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities.

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Ye Zhang and Nicolas Wu discovered that the io_uring subsystem in the Linux kernel did not properly handle locking for rings with IOPOLL, leading to a double-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Active

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-21 CVE Reserved
2024-11-19 CVE Published
2025-03-04 Exploited in Wild
2025-03-05 CVE Updated
2025-03-25 KEV Due Date
2025-03-27 EPSS Updated
---------- First Exploit

CWE

CWE-908: Use of Uninitialized Resource

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/27ce405039bfe6d3f4143415c638f56a3df77dca	Vuln. Introduced
https://git.kernel.org/stable/c/b2b6cadad699d44a8a5b2a60f3d960e00d6fb3b7	Vuln. Introduced
https://git.kernel.org/stable/c/fe6c9b48ebc920ff21c10c50ab2729440c734254	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e7ea60184e1e88a3c9e437b3265cbb6439aa7e26	2024-11-17
https://git.kernel.org/stable/c/3f9e88f2672c4635960570ee9741778d4135ecf5	2024-11-17
https://git.kernel.org/stable/c/d7dc68d82ab3fcfc3f65322465da3d7031d4ab46	2024-11-17
https://git.kernel.org/stable/c/05ade5d4337867929e7ef664e7ac8e0c734f1aaf	2024-11-14
https://git.kernel.org/stable/c/1884ab3d22536a5c14b17c78c2ce76d1734e8b0b	2024-11-14
https://git.kernel.org/stable/c/9d9f5c75c0c7f31766ec27d90f7a6ac673193191	2024-11-14
https://git.kernel.org/stable/c/492015e6249fbcd42138b49de3c588d826dd9648	2024-11-14
https://git.kernel.org/stable/c/177f25d1292c7e16e1199b39c85480f7f8815552	2024-10-29

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-50302	2025-03-19
https://bugzilla.redhat.com/show_bug.cgi?id=2327169	2025-03-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 4.19.324 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 4.19.324"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 5.4.286 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 5.4.286"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 5.10.230 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 5.10.230"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 5.15.172 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 5.15.172"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 6.1.117 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 6.1.117"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 6.6.61 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 6.6.61"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 6.11.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 6.11.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.12 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.12 < 6.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.10.16 Search vendor "Linux" for product "Linux Kernel" and version "3.10.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.11.5 Search vendor "Linux" for product "Linux Kernel" and version "3.11.5"		en		Affected