CVE-2024-53197

What is the Linux Kernel USB Audio Driver?

The Linux kernel's USB audio driver (snd-usb-audio) handles the communication protocol between the operating system and USB audio devices — headsets, speakers, microphones, audio interfaces, and any USB device that presents itself as an audio device. The driver is included in all Linux distributions and in Android, where it handles audio accessory connections. Because it processes structured data sent by the USB device, a malicious USB device can send crafted descriptors or packets to trigger vulnerabilities in the driver's parsing logic.

Overview

CVE-2024-53197 is an out-of-bounds write vulnerability in the Linux kernel USB audio driver that can be triggered by a malicious USB audio device connected to the target system. Exploitation requires physical access to a USB port. Google's Threat Analysis Group (TAG) confirmed the vulnerability was exploited as part of a chain targeting Android devices — specifically attributed to forensic tooling (such as Cellebrite) used to unlock and extract data from seized Android phones. CISA added it to the KEV catalog in April 2025 alongside companion vulnerability CVE-2024-53150 (an out-of-bounds read in the same driver).

Affected Versions

Check distribution-specific advisories (RHEL, Ubuntu, Debian, SUSE, etc.) for per-distro patch availability.

Technical Details

CWE-787 (Out-of-Bounds Write). When the USB audio driver parses the descriptors provided by a connected USB audio device, it does not adequately validate the length or structure of certain fields. A malicious device can craft a descriptor with values that cause the driver to write beyond the bounds of an allocated buffer — corrupting adjacent kernel memory. On a Linux system or Android device, this type of kernel memory corruption can be used to escalate privileges, bypass security controls, or execute arbitrary code in kernel context.

The full exploit chain confirmed by Google TAG involved connecting a crafted USB device to a locked Android phone and using the OOB write (CVE-2024-53197) alongside the OOB read (CVE-2024-53150) and potentially other vulnerabilities to bypass Android's lock screen and USB restricted mode protections to extract data from the device.

Discovery

Confirmed by Google's Threat Analysis Group (TAG), which tracks zero-day vulnerabilities exploited by commercial surveillance vendors, nation-state actors, and law enforcement forensic tools. The April 2025 Android Security Bulletin explicitly identifies this CVE as under limited, targeted exploitation.

Exploitation Context

The exploitation context is unusual: the confirmed use case is law enforcement or intelligence agency forensic tooling (such as Cellebrite UFED or similar products) used to unlock seized Android devices. This class of exploitation — physical USB attack against locked phones — is of primary concern in situations where a device may be seized by a hostile government, law enforcement with disputed jurisdiction, or an actor with physical access to the device. The CISA KEV addition reflects the broad applicability of the kernel vulnerability beyond the specific forensic tool context: any system with a USB port running an unpatched kernel is theoretically vulnerable to a malicious USB device.

Remediation

1. Apply the relevant kernel security update for your Linux distribution (Ubuntu, Debian, RHEL, SUSE, etc.) that includes the fix for CVE-2024-53197.
2. For Android devices: apply the April 2025 Android Security Bulletin update or any subsequent security patch level.
3. Enable USB Restricted Mode (or equivalent) on Android devices to limit data transfer to trusted computers only when the device is locked.
4. In enterprise settings: enforce USB device control policies that block unrecognized USB devices from connecting to managed systems.
5. For high-risk individuals (journalists, activists, executives): consider devices with strict USB port controls or use USB condoms (data blockers) that allow charging but block data pins when charging from untrusted sources.