⚠ Actively exploited

Added to CISA KEV on 2025-04-09. Federal agencies required to patch by 2025-04-30. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2024-53150 — Out-of-bounds Read in Linux

CWE-125 — Out-of-bounds Read100 documents12 sources

Severity

7.1HIGHNVD

OSV8.8OSV7.8OSV5.5

EPSS

1.1%

top 21.75%

CISA KEV

KEV

Added 2025-04-09

Due 2025-04-30

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux +7 more

Timeline

PublishedDec 24

KEV addedApr 9

KEV dueApr 30

Latest updateDec 16

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages11 packages

▶NVDlinux/linux_kernel5.5 — 5.10.231+6

▶Debianlinux/linux_kernel< 5.10.234-1+3

▶Ubuntulinux/linux_kernel< 5.4.0-211.231+11

▶msrcmsrc/azl3_kernel_6.6.57.1-7_on_azure_linux_3.0

▶msrcmsrc/azl3_kernel_6.6.64.2-1_on_azure_linux_3.0

Also affects: Debian Linux 11.0

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

OSV

linux-azure-fips vulnerabilities↗2025-12-16

▶

OSV

linux-oracle vulnerabilities↗2025-11-19

▶

OSV

linux-fips vulnerabilities↗2025-11-10

▶

OSV

linux-azure, linux-azure-4.15 vulnerabilities↗2025-11-07

▶

OSV

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities↗2025-11-06

▶

📋Vendor Advisories

Ubuntu

Linux kernel (Azure FIPS) vulnerabilities↗2025-12-16

▶

Ubuntu

Linux kernel (Oracle) vulnerabilities↗2025-11-19

▶

Ubuntu

Kernel Live Patch Security Notice↗2025-11-17

▶

Ubuntu

Linux kernel (FIPS) vulnerabilities↗2025-11-10

▶

Ubuntu

Linux kernel (Azure) vulnerabilities↗2025-11-07

▶

🕵️Threat Intelligence

Bleepingcomputer

Google fixes Android zero-days exploited in attacks, 60 other flaws↗2025-04-07

▶

External resources

NVD MITRE CISA KEV

Affected products10

Debian Linuxfixed in linux 6.1.123-1 (bookworm)

Debian Linuxv11.0

Debian Linux-6.1fixed in linux 6.1.123-1 (bookworm)

Google Android

Linux≥ b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a, < a632bdcb359fd8145e86486ff8612da98e239acd≥ b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a, < 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b≥ b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a, < ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9+8 more

Linux Kernel≥ 0, < 5.10.234-1≥ 0, < 6.1.123-1≥ 0, < 6.12.3-1+19 more

Msrc Azl3 Kernel 6.6.57.1-7 ON Azure Linux 3.0

Msrc Azl3 Kernel 6.6.64.2-1 ON Azure Linux 3.0

Msrc Cbl2 Kernel 5.15.173.1-2 ON CBL Mariner 2.0

Msrc Cbl2 Kernel 5.15.176.3-1 ON CBL Mariner 2.0

Disclosure

PublishedDec 24, 2024

KEV addedApr 9, 2025

KEV dueApr 30, 2025

Latest updateDec 16, 2025