CVE-2024-50302: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50302 is a vulnerability in the Linux kernel's Human Interface Device (HID) core component that was discovered in late 2024. The vulnerability affects the report buffer allocation in the HID subsystem, where uninitialized kernel memory could potentially be leaked through specially-crafted HID reports (NVD). The issue affects Linux kernel versions from 3.12 up to versions before 4.19.324, 5.4.286, 5.10.230, and 5.15.172 (NVD).

The vulnerability stems from the HID core component's handling of report buffers. The issue occurs because the report buffer, which is used by various drivers, was allocated using kmalloc() without initialization, potentially exposing kernel memory contents. The vulnerability is classified as CWE-908 (Use of Uninitialized Resource). It has received a CVSS v3.1 base score of 5.5 (MEDIUM) from NIST and 7.8 (HIGH) from CISA-ADP (NVD).

The vulnerability could allow a local attacker to leak uninitialized kernel memory through specially crafted HID reports. This information disclosure vulnerability could potentially expose sensitive kernel data to unauthorized users (Hacker News).

The vulnerability has been patched by changing the buffer allocation from kmalloc() to kzalloc() to ensure the buffer is zero-initialized during allocation. The fix has been implemented in the Linux kernel through multiple patches across different versions (Kernel Patch). CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog and requires Federal Civilian Executive Branch agencies to apply vendor patches by March 25, 2025 (CISA).

CISA has classified this vulnerability as a significant risk, adding it to their Known Exploited Vulnerabilities Catalog on March 4, 2025. The vulnerability has gained particular attention due to its involvement in a sophisticated exploit chain used to deploy Android spyware (CISA).