Search
On this page ▾
CVE-2024-50302 — Linux Kernel Use of Uninitialized Resource Vulnerability

CVE-2024-50302

Linux Kernel HID Subsystem — Uninitialized Memory Leak via HID Report Enables Kernel Address Disclosure; Android Forensic Tool Exploitation
⚠️ CVSS 3.1  5.5 / 10 — MEDIUM 🔴 CISA Known Exploited Vulnerability

What is the Linux Kernel HID Subsystem?

The Linux kernel's Human Interface Device (HID) subsystem manages USB and Bluetooth input devices — keyboards, mice, gamepads, and specialized hardware. When a device connects, the kernel parses its HID report descriptor and allocates buffers to receive device reports. The HID subsystem processes these reports in kernel space with driver-level privilege. On Android devices, the HID subsystem is accessible from USB connections, meaning a malicious USB device (or a device controlled by software) can send crafted HID reports to probe kernel behavior.

Overview

CVE-2024-50302 is a use of uninitialized resource vulnerability in the Linux kernel HID subsystem that allows a local attacker with low privileges to leak kernel memory contents via a specially crafted HID report. On Android devices, this is exploitable through a malicious USB device or from privileged app code. Google TAG confirmed exploitation in the context of forensic access tools used to extract data from locked Android devices. The vulnerability was included in the March 2025 Android Security Bulletin and added to CISA KEV on March 4, 2025.

Affected Versions

Platform Status
Linux kernel (upstream) Fixed — patch published November 19, 2024
Android devices Patched in March 2025 Android Security Bulletin

Android OEM devices receive patches on varying schedules; check device security patch level.

Technical Details

CWE-908 (Use of Uninitialized Resource). The HID report processing code in the Linux kernel allocates memory buffers to hold report data. A flaw in the initialization sequence causes a buffer or data structure to be returned to a caller or included in a response before it has been fully initialized. The uninitialized memory region retains whatever content was previously stored at that kernel heap location — potentially including kernel pointers, security-sensitive data, or other process memory.

By sending a specially crafted HID report to trigger this code path, an attacker can read the contents of the uninitialized buffer — leaking kernel addresses that defeat KASLR (Kernel Address Space Layout Randomization) or other sensitive kernel data. In a multi-stage exploit chain, this information disclosure is the prerequisite step that allows a subsequent memory corruption exploit (such as CVE-2024-53197 or CVE-2024-53150, both in the USB audio subsystem) to precisely target kernel structures, bypassing ASLR protections.

Discovery

Identified by Linux kernel security maintainers; attributed to active exploitation by Google TAG in the context of forensic access tools targeting Android devices. The March 2025 CISA KEV addition confirmed that this kernel information disclosure was being used in targeted device forensics — likely chained with kernel write primitives to achieve full device unlocking.

Exploitation Context

Linux kernel information disclosure vulnerabilities in the HID or USB subsystem are particularly relevant to mobile forensics: law enforcement and intelligence agencies use specialized forensic hardware (Cellebrite UFED, GrayKey, etc.) that connects to Android devices via USB and exploits kernel vulnerabilities to extract locked device contents. CVE-2024-50302's kernel memory leak assists these tools in defeating ASLR and precisely targeting kernel data structures with subsequent write exploits. The "limited, targeted exploitation" context means these vulnerabilities are used against specific individuals' devices, not broad populations.

Remediation

  1. Apply the March 2025 Android security update on all managed Android devices — verify via Settings → Security → Security update, patch level 2025-03-01 or later.
  2. Google Pixel devices additionally receive Pixel-specific patches; apply the March 2025 Pixel Security Bulletin.
  3. Android OEM devices receive patches on varying schedules — contact the OEM or check their security bulletin.
  4. Disable USB debugging on all devices not actively in development use — USB-based attacks require physical USB connection.
  5. Enable USB restricted mode where available (Android settings vary by OEM) to block USB data connections when the device is locked.
  6. For devices that cannot receive the March 2025 patch (EOL Android versions), consider replacing devices used in security-sensitive roles.

Key Details

PropertyValue
CVE ID CVE-2024-50302
Vendor / Product Linux — Kernel
NVD Published2024-11-19
NVD Last Modified2025-11-04
CVSS 3.1 Score5.5
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SeverityMEDIUM
CWE CWE-908 find similar ↗
CISA KEV Added2025-03-04
CISA KEV Deadline2025-03-25
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-03-25. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-11-19Linux kernel fix published; CVE-2024-50302 assigned
2025-03-01Android Security Bulletin for March 2025 includes CVE-2024-50302
2025-03-04Added to CISA Known Exploited Vulnerabilities catalog
2025-03-25CISA BOD 22-01 remediation deadline

References

ResourceType
Linux Kernel CVE Announcement — CVE-2024-50302 Security Research
Android Security Bulletin — March 2025 Vendor Advisory
NVD — CVE-2024-50302 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML