Seeking Offline Patch for CVE-2024-53197 & CVE-2024-53150 on Rocky Linux 9.2 (Kernel 5.14.0-284.11.1.el9_2)

Rocky Linux Help & Support
1

Hello Rocky Linux Community,

I am currently facing an urgent security issue on a Rocky Linux 9.2 server operating within an air-gapped (offline) internal network.

Current System Details:

  • Operating System: Rocky Linux 9.2
  • Kernel Version: 5.14.0-284.11.1.el9_2.x86_64

Vulnerabilities Requiring Action:

  • CVE-2024-53197 (Out-of-Bounds Memory Access in USB Audio Driver)
  • CVE-2024-53150 (Out-of-Bounds Reads in USB Audio Driver Clock Descriptor Traversal)

As these are critical vulnerabilities, and my system is offline, I cannot perform a standard dnf update to upgrade to Rocky Linux 9.6. I understand that Rocky Linux 9.2 is EOL, and that the comprehensive fix for these CVEs would be to update to the latest Rocky Linux 9.6 kernel (e.g., 5.14.0-570.17.1.el9_6).

However, due to the offline nature and specific organizational constraints, a full upgrade to Rocky Linux 9.6 is currently not feasible. My primary goal is to apply the specific patches for CVE-2024-53197 and CVE-2024-53150 to my existing Rocky Linux 9.2 (5.14.0-284.11.1.el9_2) kernel or obtain an RPM for a patched 5.14.x kernel that is compatible with RL 9.2.

Could anyone please advise on the following:

  1. Do specific patch RPMs for these two CVEs exist for the 5.14.x kernel series that can be manually applied to Rocky Linux 9.2?
  2. If so, could you please provide a direct URL to download these specific RPM packages (e.g., kernel-core, kernel-modules, kernel-devel, kernel-headers) that contain the fixes for CVE-2024-53197 and CVE-2024-53150, and are compatible with the Rocky Linux 9.x architecture, even if they are from a later 9.x minor release (like 9.3, 9.4, 9.5, or 9.6)? I need the specific files to transfer via USB.

I understand that a full upgrade to 9.6 is ideal, but I am looking for the most direct and least disruptive way to address these critical vulnerabilities in my current offline 9.2 environment. Any guidance or links to the relevant RPMs would be immensely appreciated.

Thank you for your time and help.

2

Welcome to the forums!

There are no 9.2 packages that would satisfy this. Those CVEā€™s were addressed sometime during 9.5 (April, 2025).

Upgrading to a newer kernel without updating other supporting packages, or ā€œcherry pickingā€, is asking for potential system instability. In my opinion, this is not a risk that you should be willing to make.

I know that you stated you are in an air gapped network and cannot upgrade all the way to 9.6 at this time, but that is unfortunately your only supported option. I would highly suggest working with your organizationā€™s security team and other stakeholders to explain that in order to address those vulnerabilities, you must get the latest available version of Rocky Linux 9. You may also refer them to our wiki that explains our update and community support policies.

1 Like
3

I appreciate for your super quick answer

4

Other options:

  • If you need to do this frequently, get a support contract with CIQ, who maintain security patches for certain Rocky releases they deem LTS.
  • If the server isnā€™t using the USB audio driver, you can mitigate by blacklisting the vulnerable driver.