The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to patch a critical vulnerability in the Linux kernel. This high-severity flaw, tracked as CVE-2024-53104, has actively been exploited in targeted attacks and could pose significant security risks if organizations do not address it promptly. Federal agencies must secure their systems against this vulnerability by February 26, 2025.
What is CVE-2024-53104?
CVE-2024-53104 is a critical security vulnerability present in the Linux kernel, first introduced in version 2.6.26. The flaw stems from an out-of-bounds write issue within the USB Video Class (UVC) driver, which is responsible for handling USB video devices such as cameras. Specifically, the vulnerability arises when the kernel fails to correctly parse the UVC_VS_UNDEFINED frames in the uvc_parse_format function. This error leads to miscalculations in the frame buffer size, allowing for potential out-of-bounds writes and unauthorized privilege escalation.
While Google initially patched this flaw for Android users in its February 2025 security update, CISA’s warning applies to all Linux-based devices, including those in federal government networks, which are particularly vulnerable to such attacks.
Exploitation in the Wild
According to Google’s security advisory, indications show that attackers have actively exploited this vulnerability, though they have limited their efforts to targeted attacks. Experts from the GrapheneOS team suggest that this flaw might be one of several USB-based vulnerabilities that cybercriminals exploit using forensic data extraction tools.
CISA’s Mandate for Federal Agencies
As part of its ongoing mission to enhance the cybersecurity posture of U.S. federal agencies, CISA has invoked the November 2021 Binding Operational Directive (BOD) 22-01, which mandates the patching of known vulnerabilities listed in the agency’s Known Exploited Vulnerabilities catalog. With the risk of widespread exploitation, CISA has given all Federal Civilian Executive Branch (FCEB) agencies three weeks to deploy patches to mitigate the Linux kernel vulnerability. This deadline is set for February 26, 2025.
CISA highlighted the critical nature of this flaw, warning that malicious actors commonly use such vulnerabilities as attack vectors, which could lead to significant security breaches in government systems. The agency urges agencies to prioritize patching and ensure they safeguard their networks against the ongoing threat.
Other Active Exploits and Recommendations
In addition to the Linux kernel vulnerability, CISA has also flagged other high-severity vulnerabilities actively exploited in the wild. These include flaws in the Microsoft .NET Framework and Apache OFBiz (Open For Business) software, though CISA has not provided specific information about the threat actors behind these attacks.
CISA’s warning, in collaboration with the cybersecurity agencies of the Five Eyes (U.S., U.K., Australia, Canada, and New Zealand), also includes updated guidance for network edge devices. The advisory encourages manufacturers to improve forensic visibility, which will make it easier for defenders to detect and investigate breaches.
