Google Patches Android Kernel Zero-Day Exploited in Attacks and Other Vulnerabilities in January 2025 Security Updates

February 3, 2025

In the January 2025 security updates, Google has patched 48 vulnerabilities, among which is a zero-day kernel vulnerability (CVE-2024-53104) that has been exploited in the wild. This high-severity flaw is a privilege escalation issue in the Android Kernel's USB Video Class driver, which allows authenticated local threat actors to elevate privileges through low-complexity attacks. The problem arises from the driver's inaccurate parsing of frames of the type UVC_VS_UNDEFINED within the uvc_parse_format function, resulting in a miscalculation of the frame buffer size. Consequently, potential out-of-bounds writes can lead to arbitrary code execution or denial-of-service attacks.

In addition to this zero-day bug, the security updates also rectify a critical security flaw (CVE-2024-45569) in Qualcomm's WLAN component. Described by Qualcomm as a firmware memory corruption issue, it is caused by an Improper Validation of Array Index weakness in WLAN host communication when parsing the ML IE due to invalid frame content. It can be exploited by remote attackers to execute arbitrary code or commands, read or modify memory, and cause system crashes, all in low-complexity attacks that don't require user interaction or privileges.

Google released two patch sets for January 2025, namely the 2025-02-01 and 2025-02-05 security patch levels. The second set includes all fixes from the first and additional patches for closed-source third-party and kernel elements, which may not be applicable to all Android devices. Device manufacturers may choose to prioritize the earlier patch set for faster updates, which does not necessarily signify a heightened risk of exploitation. Google Pixel devices will receive these updates immediately, whereas other manufacturers may require more time for testing and adjusting the patches for different hardware configurations.

In November, Google patched two more Android zero-days (CVE-2024-43047 and CVE-2024-43093), which were exploited in limited, targeted attacks. CVE-2024-43047 was first identified as actively exploited by Google Project Zero in October 2024 and was later used by the Serbian government in NoviSpy spyware attacks to compromise the Android devices of activists, journalists, and protestors.

Related News

• Serbian Government Linked to NoviSpy Spyware Exploiting Qualcomm Zero-Day Vulnerabilities
• ToxicPanda Android Botnet Attacks Banks in Europe and Latin America
• Google Addresses Two Actively Exploited Android Zero-Days in November Security Updates
• Qualcomm Addresses High-Risk Zero-Day Vulnerability in DSP Service

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• BeyondTrust Discloses Zero-Day Breach Impacting 17 SaaS Customers Due to Compromised API Key
• Contec CMS8000 Patient Monitors Vulnerable to Cyber Threats: CISA and FDA Warning
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• Voyager PHP Package Vulnerabilities Open Path to One-Click RCE Exploits