Google fixes Android kernel zero-day exploited in attacks

The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability that has been exploited in the wild.

This high-severity zero-day (tracked as CVE-2024-53104) is a privilege escalation security flaw in the Android Kernel's USB Video Class driver that allows authenticated local threat actors to elevate privileges in low-complexity attacks.

The issue occurs because the driver does not accurately parse frames of the type UVC_VS_UNDEFINED within the uvc_parse_format function. As a result, the frame buffer size is miscalculated, leading to potential out-of-bounds writes that can be exploited in arbitrary code execution or denial-of-service attacks.

In addition to this actively exploited zero-day bug, the February 2025 Android security updates also fix a critical security flaw in Qualcomm's WLAN component.

Qualcomm describes this critical flaw (CVE-2024-45569) as a firmware memory corruption issue caused by an Improper Validation of Array Index weakness in WLAN host communication when parsing the ML IE due to invalid frame content.

CVE-2024-45569 can be exploited by remote attackers to potentially execute arbitrary code or commands, read or modify memory, and trigger crashes in low-complexity attacks that don't require privileges or user interaction.

Android security patch levels

Google released two sets of patches for February 2025, the 2025-02-01 and 2025-02-05 security patch levels. The latter includes all fixes from the first batch and additional patches for closed-source third-party and kernel elements, which may not apply to all Android devices.

Vendors may prioritize the earlier patch set for quicker updates, which does not necessarily indicate increased exploitation risk.

Google Pixel devices will receive updates immediately, while other manufacturers often take longer to test and fine-tune the security patches for various hardware configurations.

In November, Google fixed two more actively exploited Android zero-days (CVE-2024-43047 and CVE-2024-43093), also tagged as exploited in limited, targeted attacks.

CVE-2024-43047 was first marked as actively exploited by Google Project Zero in October 2024. The Serbian government also exploited it in NoviSpy spyware attacks to compromise the Android devices of activists, journalists, and protestors.