CVE-2024-53150

Known Exploited
ALSA: usb-audio: Fix out of bounds reads when finding clock sources

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.19%
KEV Since 
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd patch
https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b patch
https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9 patch
https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9 patch
https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 patch
https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d patch
https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f patch
https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6 patch

Frequently Asked Questions

What is the severity of CVE-2024-53150?
CVE-2024-53150 has been scored as a high severity vulnerability.
How to fix CVE-2024-53150?
To fix CVE-2024-53150, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-53150 being actively exploited in the wild?
It is confirmed that CVE-2024-53150 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-53150?
CVE-2024-53150 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.