cbcvebase.
CVE-2024-50302
published 2024-11-19

CVE-2024-50302: In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds…

PriorityP278medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-25
Exploited in the wild
EPSS
0.81%
52.3th percentile
In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.119-1 (bookworm)linux 6.1.119-1 (bookworm)
debianlinux-6.1< linux 6.1.119-1 (bookworm)linux 6.1.119-1 (bookworm)
googleandroid
linuxlinux
linuxlinux
linuxlinux
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < e7ea60184e1e88a3c9e437b3265cbb6439aa7e26e7ea60184e1e88a3c9e437b3265cbb6439aa7e26
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 3f9e88f2672c4635960570ee9741778d4135ecf53f9e88f2672c4635960570ee9741778d4135ecf5
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < d7dc68d82ab3fcfc3f65322465da3d7031d4ab46d7dc68d82ab3fcfc3f65322465da3d7031d4ab46
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 05ade5d4337867929e7ef664e7ac8e0c734f1aaf05ade5d4337867929e7ef664e7ac8e0c734f1aaf
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 1884ab3d22536a5c14b17c78c2ce76d1734e8b0b1884ab3d22536a5c14b17c78c2ce76d1734e8b0b
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 9d9f5c75c0c7f31766ec27d90f7a6ac6731931919d9f5c75c0c7f31766ec27d90f7a6ac673193191
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 492015e6249fbcd42138b49de3c588d826dd9648492015e6249fbcd42138b49de3c588d826dd9648
linuxlinux>= 27ce405039bfe6d3f4143415c638f56a3df77dca < 177f25d1292c7e16e1199b39c85480f7f8815552177f25d1292c7e16e1199b39c85480f7f8815552
linuxlinux>= 3.10.16 < 3.113.11
linuxlinux>= 3.11.5 < 3.123.12
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.234-15.10.234-1
linuxlinux_kernel>= 0 < 6.1.119-16.1.119-1
linuxlinux_kernel>= 0 < 6.11.9-16.11.9-1
linuxlinux_kernel>= 0 < 6.11.9-16.11.9-1
linuxlinux_kernel>= 0 < 5.4.0-208.2285.4.0-208.228
linuxlinux_kernel>= 0 < 5.15.0-133.1445.15.0-133.144
linuxlinux_kernel>= 0 < 6.8.0-57.596.8.0-57.59

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-50302 was exploited as part of a chained Android zero-day exploit developed by Cellebrite, used by Serbian authorities to unlock confiscated Android devices. Detection should focus on unexpected HID (Human Interface Device) connections on Android/Linux endpoints, particularly in forensic or law enforcement contexts.
  • The vulnerability enables kernel memory leakage via a specially crafted HID report. Monitor for anomalous or malicious USB HID device connections, especially emulated HID devices, on sensitive Linux/Android systems.
  • Exploitation requires a local, authenticated attacker emulating a malicious Human Interface Device (HID). Audit USB device enumeration events and flag newly connected HID devices on locked or confiscated devices.
  • CVE-2024-50302 is part of a three-CVE exploit chain also involving CVE-2024-53104 (USB Video Class) and CVE-2024-53197 (ALSA USB-audio). Detection pipelines should correlate exploitation attempts across all three CVEs, as they are used together.
  • The vulnerability is in the HID core report buffer allocation path in the Linux kernel. On Android, patch level 2025-03-01 or later addresses this CVE. Systems not yet patched to this level remain vulnerable and should be prioritized.
  • ·Exploitation requires bypassing KASLR; the vulnerability alone does not guarantee full compromise but enables kernel memory disclosure to facilitate further exploitation.
  • ·Red Hat Enterprise Linux 10 (both kernel and kernel-rt) and RHEL 9 kernel-rt are listed as Not Affected. Detection/patching efforts should focus on other affected Linux distributions and Android.
  • ·No vendor mitigation is currently available for affected Red Hat products; the only remediation is patching.
  • ·Google Pixel devices receive updates immediately, but other Android OEM vendors may take longer to deploy the March 2025 patch, leaving a window of exposure.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv8.8HIGH
vulncheck5.5MEDIUM
cisa5.5MEDIUM
vendor_ubuntu8.8HIGH
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.