CVE-2024-53197

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

Severity Score

5.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.

A vulnerability was found in the Linux kernel's USB Audio driver. This flaw allows an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by manipulating system memory, potentially escalating privileges, or executing arbitrary code.

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.

Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Attila Szász discovered that the HFS+ file system implementation in the Linux Kernel contained a heap overflow vulnerability. An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-11-19 CVE Reserved
2024-12-27 CVE Published
2025-01-20 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0b4ea4bfe16566b84645ded1403756a2dc4e0f19	2024-12-05
https://git.kernel.org/stable/c/9b8460a2a7ce478e0b625af7c56d444dc24190f7	2024-12-14
https://git.kernel.org/stable/c/62dc01c83fa71e10446ee4c31e0e3d5d1291e865	2024-12-14
https://git.kernel.org/stable/c/9887d859cd60727432a01564e8f91302d361b72b	2024-12-14
https://git.kernel.org/stable/c/920a369a9f014f10ec282fd298d0666129379f1b	2024-12-14
https://git.kernel.org/stable/c/b8f8b81dabe52b413fe9e062e8a852c48dd0680d	2024-12-09
https://git.kernel.org/stable/c/379d3b9799d9da953391e973b934764f01e03960	2024-12-05
https://git.kernel.org/stable/c/b521b53ac6eb04e41c03f46f7fe452e4d8e9bcca	2024-12-05
https://git.kernel.org/stable/c/b909df18ce2a998afef81d58bbd1a05dc0788c40	2024-11-20

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-53197	2025-03-26
https://bugzilla.redhat.com/show_bug.cgi?id=2334412	2025-03-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 4.19.325 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 4.19.325"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.4.287 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.4.287"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.10.231 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.10.231"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 5.15.174 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 5.15.174"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.1.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.1.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.6.64 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.6.64"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.11.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.11.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.12.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.12.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.12 < 6.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.12 < 6.13"		en		Affected