CVE-2024-53150

What is the Linux Kernel USB Audio Driver?

The Linux kernel's USB audio driver (snd-usb-audio) is responsible for handling the communication protocol between Linux-based systems — including Android devices — and USB audio hardware. The driver parses USB descriptors and data packets sent by the connected audio device to configure audio streams. Because this parsing occurs in kernel space and processes attacker-controlled data from a connected USB device, vulnerabilities in the driver can be exploited by a malicious USB device to gain kernel-level access.

Overview

CVE-2024-53150 is an out-of-bounds read vulnerability in the Linux kernel's USB audio driver that allows a local attacker with access to a USB port to read sensitive kernel memory by connecting a malicious USB audio device. The information disclosed through the OOB read — such as kernel addresses and heap layout — can be used to defeat address space layout randomization (KASLR) and facilitate further exploitation. Google's Threat Analysis Group confirmed this vulnerability was exploited in the same chain as CVE-2024-53197 (an OOB write in the same driver), with the two together enabling privilege escalation or security bypass on Android devices via a physical USB attack.

Affected Versions

Check distribution-specific advisories for per-distro patch availability.

Technical Details

CWE-125 (Out-of-Bounds Read). The USB audio driver reads beyond the end of a buffer when processing certain USB descriptor fields provided by a connected USB audio device. An OOB read in kernel memory typically provides the attacker with:

1. Kernel heap addresses — defeating KASLR by revealing the runtime base address of kernel structures.
2. Sensitive data from adjacent memory — potentially including credentials, keys, or data from other kernel subsystems.

In the context of the confirmed exploit chain: CVE-2024-53150 (OOB read) is used to leak kernel addresses needed to aim the write primitive from CVE-2024-53197 (OOB write) at specific kernel structures. Together, the two vulnerabilities form a complete memory corruption exploit chain against the Android kernel. The chain requires physical access to the target device's USB port but does not require the device to be unlocked.

Discovery

Identified by Google's Threat Analysis Group (TAG), which tracks exploitation of zero-days by commercial surveillance vendors and state-sponsored actors. Both CVE-2024-53150 and CVE-2024-53197 appear in the April 2025 Android Security Bulletin as actively exploited — confirming the chain was in use before patching.

Exploitation Context

The confirmed exploitation scenario involves forensic tooling (attributed in public reporting to products like Cellebrite) used to access locked and encrypted Android devices. By connecting a malicious USB device that exploits both CVE-2024-53150 (information leak) and CVE-2024-53197 (memory write), an attacker with physical device access can potentially bypass Android's security and extract data — even from a locked, fully encrypted phone. This exploitation model is a concern for journalists, activists, and other high-risk individuals who may have devices seized by adversarial authorities.

Remediation

1. Apply the relevant kernel security update for your Linux distribution that includes the fix for CVE-2024-53150.
2. For Android devices: apply the April 2025 Android Security Bulletin security patch level or any later level.
3. Enable USB Restricted Mode on Android to block USB data connections when the device is locked.
4. See also the remediation for CVE-2024-53197, which describes the companion OOB write in the same driver and the same exploit chain.
5. For enterprise management: deploy mobile device management (MDM) policies that enforce USB data restrictions on managed Android devices.