Google Addresses 47 Android Security Flaws, Including One Exploited in the Wild
February 4, 2025
By Ravie Lakshmanan
Google has released patches to address 47 security flaws in its Android operating system, including one that has been actively exploited in the wild.
Vulnerability Details
The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which is a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. Successful exploitation of the flaw could lead to physical escalation of privilege, Google said, noting that it’s aware that it may be under "limited, targeted exploitation."
Linux Kernel Connection
Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted in the Linux kernel and that it was introduced in version 2.6.26, which was released in mid-2008.
Out-of-Bounds Write Condition
The flaw is related to an out-of-bounds write condition that could arise as a result of parsing frames of type UVC_VS_UNDEFINED in a function named "uvc_parse_format()" in the uvc_driver.c program.
Weaponization
This also means that the flaw could be weaponized to result in memory corruption, program crash, or arbitrary code execution.
Additional Patch
Google has also patched a critical flaw in Qualcomm’s WLAN component (CVE-2024-45569, CVSS score: 9.8) that could also lead to memory corruption.
Patch Levels
It’s worth noting that Google has released two security patch levels, 2025-02-01 and 2025-02-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.
Action Required
"Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level," Google said.
Stay Informed
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
