Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53197

CVE-2024-53197: Linux Kernel Buffer Overflow Vulnerability

CVE-2024-53197 is a buffer overflow vulnerability in Linux Kernel affecting USB audio devices. Bogus devices can cause out-of-bounds memory accesses. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-53197 Overview

CVE-2024-53197 is an out-of-bounds write vulnerability [CWE-787] in the Linux kernel's ALSA usb-audio driver, specifically affecting handling of Creative Extigy and Digidesign Mbox USB audio devices. A malicious or malformed USB device can supply a bNumConfigurations value that exceeds the value initially used by usb_get_configuration when allocating dev->config. This mismatch leads to out-of-bounds memory access during operations such as usb_destroy_configuration. The flaw is listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed exploitation in the wild.

Critical Impact

A local attacker with the ability to attach a crafted USB device can trigger kernel memory corruption, leading to privilege escalation or full system compromise on affected Linux systems.

Affected Products

  • Linux Kernel (multiple stable branches prior to fix commits)
  • Debian Linux 11.0
  • Distributions shipping vulnerable kernel versions with ALSA usb-audio support

Discovery Timeline

  • 2024-12-27 - CVE-2024-53197 published to NVD
  • 2025-11-04 - Last updated in NVD database
  • CISA KEV - Listed in CISA Known Exploited Vulnerabilities catalog

Technical Details for CVE-2024-53197

Vulnerability Analysis

The vulnerability resides in the ALSA USB audio driver code path that handles quirks for Creative Extigy and Digidesign Mbox devices. During USB device enumeration, the kernel calls usb_get_configuration to allocate the dev->config array based on the device's reported bNumConfigurations descriptor field. A bogus or malicious USB device can later present a different, larger bNumConfigurations value than was used during the initial allocation.

When subsequent code paths iterate over the configurations using the larger value, the kernel reads or writes past the end of the allocated buffer. This out-of-bounds access manifests notably in usb_destroy_configuration, where the cleanup loop walks beyond the allocated array boundary. Out-of-bounds writes in kernel memory can corrupt adjacent allocator metadata or kernel objects, providing a primitive for privilege escalation.

Root Cause

The root cause is an inconsistent trust boundary between two reads of attacker-controlled USB descriptor data. The initial allocation uses one value of bNumConfigurations, while later code assumes the value remains stable. Because USB descriptor data originates from the device itself, a hostile device can return different values across queries, breaking the implicit contract between the allocator and the consumer. The fix bounds the iteration count to the value actually used at allocation time.

Attack Vector

Exploitation requires local access to attach a malicious USB device, or a compromised peripheral capable of presenting forged descriptors. The vulnerability has been observed exploited in the wild as part of Android-targeted exploit chains where USB debugging interfaces enable peripheral attachment. The attacker presents a USB device identifying as an Extigy or Mbox, then manipulates descriptor responses to trigger the out-of-bounds access during device initialization or teardown. Successful exploitation yields kernel-mode code execution.

No public proof-of-concept code has been released. Technical details are available in the upstream kernel commits referenced in the Kernel Git Commit Reference.

Detection Methods for CVE-2024-53197

Indicators of Compromise

  • Unexpected kernel oops or panic messages referencing usb_destroy_configuration, snd-usb-audio, or ALSA usb-audio quirk handlers
  • KASAN reports flagging out-of-bounds access in USB configuration teardown paths
  • Anomalous USB device attachment events claiming Creative Extigy or Digidesign Mbox identifiers in unexpected contexts
  • Privilege escalation activity correlated with recent USB device enumeration in kernel logs

Detection Strategies

  • Monitor dmesg and journald for ALSA usb-audio driver errors during device enumeration
  • Audit installed kernel versions against the fixed commits listed in the vendor advisory
  • Deploy endpoint detection that flags suspicious USB descriptor patterns and kernel exploitation behaviors
  • Correlate USB attachment events with subsequent process privilege changes

Monitoring Recommendations

  • Enable auditd rules covering udev events and USB device attachment under /sys/bus/usb
  • Forward kernel logs to a centralized analysis platform for cross-host correlation
  • Track CISA KEV catalog additions and prioritize patching kernels flagged as exploited
  • Alert on unsigned or unexpected kernel module loads following USB device events

How to Mitigate CVE-2024-53197

Immediate Actions Required

  • Apply the latest Linux kernel stable updates from your distribution that include the upstream ALSA usb-audio fix
  • Debian 11 administrators should install updates referenced in the Debian LTS Announcement
  • Audit physical and remote USB access on sensitive systems, including Android devices in fleet management
  • Prioritize this CVE due to its presence in the CISA KEV catalog

Patch Information

The Linux kernel maintainers released fixes across multiple stable branches. The fix corrects bounds checking so iteration never exceeds the allocation size used by usb_get_configuration. Reference commits include 0b4ea4bfe165, 379d3b9799d9, 62dc01c83fa7, 920a369a9f01, 9887d859cd60, 9b8460a2a7ce, b521b53ac6eb, b8f8b81dabe5, and b909df18ce2a available at the Kernel Git Commit Reference. Debian users should consult both Debian LTS announcements.

Workarounds

  • Disable the snd-usb-audio kernel module on systems that do not require USB audio support
  • Restrict physical access to USB ports on critical infrastructure and use port-blocking policies
  • Apply USB device authorization policies via /sys/bus/usb/devices/*/authorized to allow only known devices
  • Enforce udev rules that block unknown USB audio class devices until administrative review
bash
# Blacklist the snd-usb-audio module if not needed
echo "blacklist snd_usb_audio" | sudo tee /etc/modprobe.d/blacklist-usb-audio.conf
sudo update-initramfs -u

# Restrict USB device authorization by default
echo 0 | sudo tee /sys/bus/usb/devices/usb1/authorized_default

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne