U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel flaws to its Known Exploited Vulnerabilities catalog.————————————————————————————————————————————The U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2025/04/09/cisa-adds-two-known-exploited-vulnerabilities-catalog) Linux Kernel flaws, respectively tracked as [CVE-2024-53197](https://www.cve.org/CVERecord?id=CVE-2024-53197) and [CVE-2024-53150](https://www.cve.org/CVERecord?id=CVE-2024-53150), to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).The vulnerability [CVE-2024-53197](https://www.cve.org/CVERecord?id=CVE-2024-53197) (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver affecting Extigy and Mbox devices, where incorrect handling of USB configuration data could lead to out-of-bounds memory access. Specifically, the issue involved the `bNumConfigurations` field provided by connected USB devices. If this value was set higher than the allocated configuration space in memory, later kernel operations interacting with this data could access memory beyond its intended bounds. This posed a risk of memory corruption or system instability. The flaw has now been addressed by validating the configuration count before it is used, ensuring the kernel does not access memory outside of the allocated region.The vulnerability [CVE-2024-53150](https://www.cve.org/CVERecord?id=CVE-2024-53150) (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver, where the driver failed to validate the `bLength` field in USB audio clock descriptors during traversal. This oversight allowed a malicious or misconfigured USB device to supply a descriptor with a shorter-than-expected `bLength`, potentially leading to out-of-bounds reads.According to [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://cyber.dhs.gov/bod/22-01/), FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend private organizations review the [Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix this vulnerability by April 30, 2025.This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog) Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws, respectively tracked as [CVE-2025-30406](https://www.cve.org/CVERecord?id=CVE-2025-30406) and [CVE-2025-29824](https://www.cve.org/CVERecord?id=CVE-2025-29824), to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [**Mastodon**](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, [CISA](https://securityaffairs.com/174862/intelligence/cisa-maintains-stance-on-russian-cyber-threats-despite-policy-shift.html))**
Related Tags:
CVE-2025-30406
CVE-2024-53197
CVE-2024-53150
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 923 – Administration Of Human Resource Programs
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Associated Indicators: