Google has shipped patches to handle 47 safety flaws in its Android working system, together with one it stated has come underneath energetic exploitation within the wild.
The vulnerability in query is CVE-2024-53104 (CVSS rating: 7.8), which has been described as a case of privilege escalation in a kernel part often called the USB Video Class (UVC) driver.
Profitable exploitation of the flaw might result in bodily escalation of privilege, Google stated, noting that it is conscious that it might be underneath “limited, targeted exploitation.”
Whereas no different technical particulars have been supplied, Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted within the Linux kernel and that it was launched in model 2.6.26, which was launched in mid-2008.
Particularly, it has to do with an out-of-bounds write situation that might come up on account of parsing frames of kind UVC_VS_UNDEFINED in a operate named “uvc_parse_format()” within the “uvc_driver.c” program.
This additionally signifies that the flaw may very well be weaponized to end in reminiscence corruption, program crash, or arbitrary code execution.
Additionally patched as a part of Google’s month-to-month safety updates is a crucial flaw in Qualcomm’s WLAN part (CVE-2024-45569, CVSS rating: 9.8) that might additionally result in reminiscence corruption.
It is price noting that Google has launched two safety patch ranges, 2025-02-01 and 2025-02-05, in order to provide flexibility to Android companions to handle a portion of vulnerabilities which might be related throughout all Android units extra rapidly.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google stated.
