In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.
Conclusion & alert: CVE-2024-53150 is rated Critical Active Threat (81/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.12%). Core evidence: CISA KEV confirms active exploitation (added 2025-04-09) affecting Linux / Kernel. a weakness (CWE-125) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Linux Kernel Out-of-Bounds Read Vulnerability · CISA KEV detail
: 2025-04-09
: 2025-04-30
: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-19 | 1.01% | 1.12% | +0.11% |
| 2 | 2026-05-17 | 1.12% | 1.01% | -0.10% |
| 3 | 2026-03-25 | — | 1.12% | — |
Full EPSS history (37 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.1 | 3.1 | HIGH |
|
1.8 | 5.2 | [email protected] |
| 7.1 | 3.1 | HIGH |
|
1.8 | 5.2 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-53150 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. | https://security-tracker.debian.org/tracker/CVE-2024-53150 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-53150 |
suse
|
medium | — | https://www.suse.com/security/cve/CVE-2024-53150/ |
ubuntu
|
high | CVE-2024-53150 high priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 212, ignored 147, not-affected 45, needed 2. | https://ubuntu.com/security/CVE-2024-53150 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| linux | linux_kernel | < 5.4.287 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.5, < 5.10.231 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.11, < 5.15.174 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.16, < 6.1.120 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.2, < 6.6.64 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.7, < 6.11.11 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.12, < 6.12.2 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |