A high-severity Linux kernel vulnerability (CVE-2024-53104) has triggered an emergency response from the Cybersecurity and Infrastructure Security Agency (CISA). Federal agencies have been given a three-week deadline to patch their systems, with compliance required by February 26.

The vulnerability, present since kernel version 2.6.26, stems from an out-of-bounds write flaw in the USB Video Class (UVC) driver. Google has already addressed this issue in their February 2024 Android security updates, noting evidence of limited, targeted exploitation in the wild.

Technical Details:
– The flaw allows privilege escalation through physical access
– No additional execution privileges required
– Caused by improper parsing of UVC_VS_UNDEFINED frames
– May be exploited by forensic data extraction tools

CISA’s Response:
– Added to Known Exploited Vulnerabilities catalog
– Mandatory patching for Federal Civilian Executive Branch agencies
– Falls under Binding Operational Directive (BOD) 22-01
– Identified as significant risk to federal infrastructure

Additionally, CISA has identified active exploitation of vulnerabilities in Microsoft .NET Framework and Apache OFBiz. The agency, along with Five Eyes partners, has released security guidance for network edge devices, emphasizing the need for improved forensic visibility in security infrastructure.