The January 2025 Android safety updates patch 48 vulnerabilities, together with a zero-day kernel vulnerability tagged as exploited within the wild.
This high-severity zero-day (tracked as CVE-2024-53104) is a privilege escalation safety flaw within the Android Kernel’s USB Video Class driver that enables authenticated native risk actors to raise privileges in low-complexity assaults.
The difficulty happens as a result of the driving force doesn’t precisely parse frames of the kind UVC_VS_UNDEFINED throughout the uvc_parse_format operate. In consequence, the body buffer measurement is miscalculated, resulting in potential out-of-bounds writes that may be exploited in arbitrary code execution or denial-of-service assaults.
Along with this actively exploited zero-day bug, the January 2025 Android safety updates additionally repair a crucial safety flaw in Qualcomm’s WLAN element.
Qualcomm describes this crucial flaw (CVE-2024-45569) as a firmware reminiscence corruption subject attributable to an Improper Validation of Array Index weak point in WLAN host communication when parsing the ML IE as a consequence of invalid body content material.
CVE-2024-45569 might be exploited by distant attackers to doubtlessly execute arbitrary code or instructions, learn or modify reminiscence, and set off crashes in low-complexity assaults that do not require privileges or consumer interplay.
Android safety patch ranges
Google launched two units of patches for January 2025, the 2025-02-01 and 2025-02-05 safety patch ranges. The latter contains all fixes from the primary batch and extra patches for closed-source third-party and kernel components, which can not apply to all Android units.
Distributors could prioritize the sooner patch set for faster updates, which doesn’t essentially point out elevated exploitation threat.
Google Pixel units will obtain updates instantly, whereas different producers typically take longer to check and fine-tune the safety patches for numerous {hardware} configurations.
In November, Google fastened two extra actively exploited Android zero-days (CVE-2024-43047 and CVE-2024-43093), additionally tagged as exploited in restricted, focused assaults.
CVE-2024-43047 was first marked as actively exploited by Google Venture Zero in October 2024. The Serbian authorities additionally exploited it in NoviSpy adware assaults to compromise the Android units of activists, journalists, and protestors.
