Linux kernel flaw added to CISA’s exploited vulnerabilities list

The Cybersecurity and Infrastructure Security Agency (CISA) on Feb. 5 added a high-severity Linux kernel vulnerability to its Known Exploited Vulnerabilities (KEV) list, ordering federal agencies to apply a patch within three weeks.

CISA’s order follows Google issuing a patch for the bug — CVE-2024-53104 — mainly because the flaw could let attackers escalate privileges on the Linux operating systems that run many of its popular Android and Google Pixel devices.

The flaw was described as "an out-of-bounds write weakness in the USB Video Class (UVC) driver that allows physical escalation of privileges with no additional execution privileges needed on unpatched devices."

Tim Peck, senior threat researcher at Securonix, explained that this vulnerability lets attackers with physical access to escalate privileges without the need for additional execution rights. An out-of-bounds memory write weakness in the USB Video Class (UVC) driver, such as with the case of this vulnerability CVE-2024-53104, occurs when the driver improperly handles certain video frames in the affected  "uvc_driver.c" program file. This leads to memory corruption, which could then be used for malicious purposes, such as privesc in this case.

"This corruption can be leveraged to execute arbitrary code within the kernel, effectively granting the attacker elevated privileges on the Linux operating system,” said Peck

Peck added that patching the vulnerability is essential and the recommended way to prevent exploitation today.

“That being said, the fact that this flaw is actively being exploited in targeted attacks stresses the need for organizations to remain vigilant by incorporating a defense-in-depth security posture,” said Peck. ”In addition to applying patches, some other steps that organizations can perform would be rolling out policies to disable mass storage devices, monitoring for unusual or suspicious alerts on the device."

John Bambenek, president at Bambenek Consulting, said an exploit on the kernel is a very short path to owning the device and, once done, likely lets the attacker persist long after the exploit and make it hard to dislodge aside of a factory wipe of the device.

“It seems this vulnerability requires physical access to the device, so I presume the backstory to this [might be] that someone has malicious charging stations in the vicinity of government buildings and employees have used the convenience to become victims,” said Bambenek. “Patching in this case is a double-edged sword from the government’s perspective. This technique is used for forensic extractions that are presumably lawful and it may make it difficult to do acquisitions with non-cooperative suspects in the future.”

Patrick Tiquet, vice president, security and architecture at Keeper Security, added that this flaw in the Linux kernel’s USB Video Class (UVC) driver gives attackers physical access to execute arbitrary code and escalate privileges to take full control of a Linux-based system. Given that forensic data extraction tools may already be leveraging this vulnerability, Tiquet said the risks are significant — particularly for high-value targets.

“While applying the patch is critical, security cannot rely on reactive measures alone,” said Tiquet. “This highlights the importance of a secure by design approach — integrating security into development from the beginning to prevent long-lived vulnerabilities like this. Had stronger memory safety protections and secure coding practices been in place when this driver was first developed, the flaw may have been prevented entirely. Organizations must go beyond patching by implementing kernel hardening, restricting USB access and enforcing a zero-trust security model.”