CVE-2024-53104

What is the Linux Kernel UVC Driver?

The Linux kernel's USB Video Class (UVC) driver handles webcams, video capture devices, and any USB device presenting as a UVC-compliant video source. Like the USB audio driver (snd-usb-audio), the UVC driver (uvcvideo) parses structured descriptors provided by the USB device during enumeration, and a malicious USB device can supply crafted descriptors to trigger parsing vulnerabilities. The UVC driver is present in all Linux distributions and in Android, where it handles USB camera accessories. Vulnerabilities in the driver can be triggered by connecting a malicious physical USB device to the target system.

Overview

CVE-2024-53104 is an out-of-bounds write vulnerability in the uvc_parse_streaming function of the Linux kernel UVC driver. A malicious USB video device can trigger the OOB write during the driver's descriptor parsing phase, potentially enabling privilege escalation on the host system. The vulnerability was published in December 2024 and added to the CISA KEV catalog in February 2025, confirming active exploitation. It is part of a broader cluster of USB driver vulnerabilities (alongside CVE-2024-53197 and CVE-2024-53150 in the USB audio driver) confirmed by Google TAG to have been exploited in the Android context via physical USB attacks.

Affected Versions

Check distribution-specific advisories (RHEL, Ubuntu, Debian, SUSE, etc.) for per-distro patch availability.

Technical Details

CWE-787 (Out-of-Bounds Write). The uvc_parse_streaming function processes the streaming interface descriptors provided by a UVC-compliant USB device. The vulnerability is an integer parsing or size calculation flaw that causes the driver to write beyond the allocated buffer when processing a crafted UVC descriptor with unexpected field values. Kernel out-of-bounds writes can corrupt adjacent memory structures, providing an attacker with a memory corruption primitive that can be escalated to arbitrary kernel code execution or privilege escalation.

In the Android exploitation context, this vulnerability is part of a physical USB exploit chain: a specially constructed USB device triggers the OOB write when plugged into a locked Android phone, with the resulting memory corruption used to bypass security controls and gain elevated access to the device.

Discovery

The kernel patch was submitted and published via the standard linux-cve-announce mailing list in December 2024. The CISA KEV addition in February 2025 reflects confirmation of active exploitation — consistent with the pattern for the companion USB audio driver vulnerabilities (CVE-2024-53197, CVE-2024-53150) that were confirmed by Google TAG as exploited in forensic tooling.

Exploitation Context

As with CVE-2024-53197 and CVE-2024-53150, the primary confirmed exploitation context is physical USB attacks — most likely forensic extraction tooling used against Android devices. The cluster of USB driver kernel vulnerabilities in the CISA KEV catalog reflects sustained investment by tool vendors and state-sponsored actors in physical-access exploit chains targeting Android. Linux desktop and server systems are also affected but represent a secondary risk given the physical access requirement.

Remediation

1. Apply the relevant kernel security update for your Linux distribution that includes the fix for CVE-2024-53104.
2. For Android: apply the February 2025 Android Security Bulletin security patch level or any subsequent level.
3. Restrict USB device access on Android using USB Restricted Mode or MDM policies that block untrusted USB devices.
4. For high-risk individuals: use USB data blockers when charging from untrusted sources; consider devices with strict USB security controls.
5. On Linux servers: use USBGuard or equivalent tooling to prevent unauthorized USB devices from being recognized by the kernel.