The Cybersecurity and Infrastructure Security Agency (CISA) on Feb. 5 added a high-severity Linux kernel vulnerability to its Known Exploited Vulnerabilities (KEV) list, ordering federal agencies to apply a patch within three weeks.
CISA’s order follows Google issuing a patch for the bug — CVE-2024-53104 — mainly because the flaw could let attackers escalate privileges on the Linux operating systems that run many of its popular Android and Google Pixel devices.
The flaw was described as “an out-of-bounds write weakness in the USB Video Class (UVC) driver that allows physical escalation of privileges with no additional execution privileges needed on unpatched devices.”
Tim Peck, senior threat researcher at Securonix, explained that this vulnerability lets attackers with physical access to escalate privileges without the need for additional execution rights. An out-of-bounds memory write weakness in the USB Video Class (UVC) driver, such as with the case of this vulnerability CVE-2024-53104, occurs when the driver improperly handles certain video frames in the affected “uvc_driver.c” program file. This leads to memory corruption, which could then be used for malicious purposes, such as privesc in this case.
“This corruption can be leveraged to execute arbitrary code within the kernel, effectively granting the attacker elevated privileges on the Linux operating system,” said Peck
Peck added that patching the vulnerability is essential and the recommended way to prevent exploitation today.
