The February 2025 Android security update patches 48 vulnerabilities, including a high-severity zero-day kernel vulnerability that has been actively exploited in the wild.
Zero-Day Flaw (CVE-2024-53104)
This zero-day flaw, CVE-2024-53104, is a privilege escalation issue within the Android Kernel’s USB Video Class (UVC) driver. The flaw allows authenticated local attackers to elevate privileges through low-complexity attacks. It occurs due to improper parsing of UVC_VS_UNDEFINED frames in the uvc_parse_format function, leading to miscalculated frame buffer sizes. This vulnerability could result in out-of-bounds writes, potentially enabling arbitrary code execution or denial-of-service attacks.
Additional Critical Vulnerability in Qualcomm WLAN
Alongside the zero-day fix, the update also addresses a critical security flaw in Qualcomm’s WLAN component. CVE-2024-45569 is a firmware memory corruption vulnerability caused by improper validation of an array index in WLAN host communication. The flaw occurs when parsing ML IE frame content and can be exploited remotely to execute arbitrary code, read or modify memory, or trigger system crashes. This low-complexity exploit does not require privileges or user interaction, making it a serious security concern.
Android Security Patch Levels
- 2025-02-01 security patch level: Covers core vulnerabilities applicable to most devices.
- 2025-02-05 security patch level: Includes all previous fixes plus additional patches for closed-source third-party and kernel components.
Manufacturers may prioritize the earlier patch set for quicker updates, though this does not necessarily indicate a higher risk of exploitation. Google Pixel devices will receive updates immediately, while other manufacturers may take additional time to test and optimize patches for their specific hardware.
Previous Zero-Day Exploits
In November 2024, Google addressed two additional actively exploited Android zero-days, CVE-2024-43047 and CVE-2024-43093, both linked to targeted attacks. Notably, CVE-2024-43047 was identified by Google Project Zero in October 2024 and later confirmed as being used in the NoviSpy spyware campaign. This exploit was leveraged by the Serbian government to compromise the Android devices of activists, journalists, and protestors.
With evolving security threats, users are strongly advised to update their devices as soon as patches become available to mitigate potential risks.
