Google has released security updates to fix 47 vulnerabilities in its Android operating system, including one that is already being actively exploited.
The most concerning flaw, tracked as CVE-2024-53104 (with a severity score of 7.8), is a privilege escalation issue found in the USB Video Class (UVC) driver, a kernel component. If successfully exploited, this flaw could allow an attacker to gain higher system privileges through physical access. Google has acknowledged that this vulnerability is already being used in limited, targeted attacks.
While Google has not shared many technical details, Linux kernel developer Greg Kroah-Hartman confirmed in December 2024 that the issue originates in the Linux kernel and has been present since version 2.6.26, released in mid-2008. The flaw stems from an out-of-bounds write error that occurs when processing a specific type of video frame (UVC_VS_UNDEFINED) in the function “uvc_parse_format()” within the “uvc_driver.c” program. This means an attacker could exploit it to cause memory corruption, a program crash, or even execute arbitrary code.
Additionally, Google’s security update fixes another major flaw (CVE-2024-45569, severity score: 9.8) in Qualcomm’s WLAN component, which could also lead to memory corruption.
To provide flexibility for Android manufacturers, Google has released two security patch levels: 2025-02-01 and 2025-02-05. This allows partners to quickly address widespread vulnerabilities affecting all Android devices.
Google has urged Android partners to apply all the fixes in this update and ensure devices are protected with the latest security patch level.
