high
7.1
CWE
125
Advisory Published
Updated

CVE-2024-53150: ALSA: usb-audio: Fix out of bounds reads when finding clock sources

First published: Tue Dec 24 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel<5.4.287
Linux Kernel>=5.5<5.10.231
Linux Kernel>=5.11<5.15.174
Linux Kernel>=5.16<6.1.120
Linux Kernel>=6.2<6.6.64
Linux Kernel>=6.7<6.11.11
Linux Kernel>=6.12<6.12.2
debian/linux<=5.10.223-1<=5.10.226-1
6.1.123-1
6.1.128-1
6.12.12-1
6.12.15-1

Remedy

https://git.kernel.org/stable/c/096bb5b43edf755bc4477e64004fa3a20539ec2f

Remedy

https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b

Remedy

https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77

Remedy

https://git.kernel.org/stable/c/a3dd4d63eeb452cfb064a13862fb376ab108f6a6

Remedy

https://git.kernel.org/stable/c/a632bdcb359fd8145e86486ff8612da98e239acd

Remedy

https://git.kernel.org/stable/c/ab011f7439d9bbfd34fd3b9cef4b2d6d952c9bb9

Remedy

https://git.kernel.org/stable/c/da13ade87a12dd58829278bc816a61bea06a56a9

Remedy

https://git.kernel.org/stable/c/ea0fa76f61cf8e932d1d26e6193513230816e11d

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-53150?

    CVE-2024-53150 has been classified as a moderate severity vulnerability due to the potential for out of bounds reads in the Linux kernel.

  • How do I fix CVE-2024-53150?

    To fix CVE-2024-53150, you should update your Linux kernel to a version that is not affected by this vulnerability.

  • Which Linux kernel versions are affected by CVE-2024-53150?

    CVE-2024-53150 affects Linux kernel versions from 5.4.0 up to, but not including, 5.5.0, and certain versions up to 6.12.2.

  • What component of the Linux kernel is impacted by CVE-2024-53150?

    CVE-2024-53150 impacts the ALSA USB audio driver within the Linux kernel.

  • Is CVE-2024-53150 actively exploited in the wild?

    As of now, there is no public knowledge of CVE-2024-53150 being actively exploited.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203