CISA Warns of Actively Exploited Linux Kernel Vulnerabilities (CVE-2024-53197, CVE-2024-53150)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning after adding two newly discovered Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that both flaws are being actively weaponized in the wild.

The vulnerabilities, CVE-2024-53197 and CVE-2024-53150, are part of a sophisticated zero-day exploit chain allegedly used by digital forensics vendor Cellebrite and Serbian law enforcement to unlock confiscated Android devices.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA cautioned in its latest advisory.

Tracked as CVE-2024-53197, this high-severity vulnerability is an out-of-bounds access bug found in the USB-audio driver for ALSA (Advanced Linux Sound Architecture) Devices in the Linux kernel.

Discovered during a forensic investigation by Amnesty International’s Security Lab, the vulnerability is part of a larger exploit chain used to forcibly unlock Android devices by law enforcement agencies.

This exploit chain—including CVE-2024-53197, CVE-2024-53104, and CVE-2024-50302—was discovered while analyzing logs found on devices unlocked by Serbian police, Amnesty researchers reported.

The exploit grants local privilege escalation, allowing a connected USB device to compromise a targeted Android system. It was reportedly developed by Cellebrite, a controversial Israeli forensics company known for its phone-cracking technologies.

Other Exploits in the Chain Include:

• CVE-2024-53104 – USB Video Class zero-day, patched in February 2025.

• CVE-2024-50302 – Human Interface Device (HID) zero-day, patched in March 2025.

This trio of zero-days demonstrates how USB attack surfaces remain an underestimated threat vector for mobile devices.

The second vulnerability, CVE-2024-53150, is an information disclosure flaw caused by an out-of-bounds read in the Linux kernel used in Android.

This bug allows local attackers to access sensitive data without needing any user interaction, making it a stealthy and effective tool for targeted surveillance or data exfiltration.

CVE-2024-53150 can be used to leak memory content from the kernel space to user space, potentially exposing encryption keys or credentials.

Google’s April 2025 Android security update includes patches for 62 vulnerabilities, including both of these critical zero-days.

CISA has issued a federal directive requiring all Federal Civilian Executive Branch (FCEB) agencies to patch systems affected by these vulnerabilities no later than April 30, 2025.

Related Posts:

• Cellebrite Spyware Bypasses Android Lock Screens with Zero-Day Flaws
• CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
• CISA Adds Seven New Vulnerabilities in Known Exploited Vulnerabilities Catalog
• CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• CISA Expands KEV Catalog with Four Actively Exploited Vulnerabilities

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts