CISA has ordered federal companies to safe their methods inside three weeks in opposition to a high-severity Linux kernel flaw actively exploited in assaults.
Tracked as CVE-2024-53104, the safety bug was first launched in kernel model 2.6.26 and was patched by Google for Android customers on Monday.
“There are indications that CVE-2024-53104 could also be below restricted, focused exploitation,” the Android February 2025 Android safety updates warn.
Based on Google’s safety advisory, this vulnerability is attributable to an out-of-bounds write weak spot within the USB Video Class (UVC) driver, which permits “bodily escalation of privilege with no extra execution privileges wanted” on unpatched gadgets.
The driving force’s incapacity to precisely parse UVC_VS_UNDEFINED frames throughout the uvc_parse_format operate triggers the difficulty, main to border buffer dimension miscalculations and potential out-of-bounds writes.
Whereas Google did not present extra data on the zero-day assaults exploiting this vulnerability, the GrapheneOS growth staff says this USB peripheral driver vulnerability is “doubtless one of many USB bugs exploited by forensic knowledge extraction instruments.”
As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. federal companies should safe their networks in opposition to ongoing assaults focusing on flaws added to CISA’s Recognized Exploited Vulnerabilities catalog.
The cybersecurity company has given Federal Civilian Govt Department (FCEB) companies three weeks to patch their Linux and Android gadgets by February 26.
“These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA warned at the moment.
On Tuesday, CISA additionally tagged high-severity and demanding vulnerabilities in Microsoft .NET Framework and Apache OFBiz (Open For Enterprise) software program as actively exploited within the wild. Nevertheless, it did not present particulars on who was behind the assaults.
With 5 Eyes cybersecurity companies within the UK, Australia, Canada, New Zealand, and the U.S., it additionally shared safety steering for community edge gadgets, urging producers to enhance forensic visibility to assist defenders detect assaults and examine breaches.