Google has shipped patches to handle 47 security flaws in its Android working system, together with one it mentioned has come underneath lively exploitation within the wild.
The vulnerability in query is CVE-2024-53104 (CVSS rating: 7.8), which has been described as a case of privilege escalation in a kernel element referred to as the USB Video Class (UVC) driver.
Profitable exploitation of the flaw may result in bodily escalation of privilege, Google mentioned, noting that it is conscious that it might be underneath “restricted, focused exploitation.”
Whereas no different technical particulars have been provided, Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted within the Linux kernel and that it was launched in model 2.6.26, which was launched in mid-2008.
Particularly, it has to do with an out-of-bounds write situation that would come up because of parsing frames of kind UVC_VS_UNDEFINED in a operate named “uvc_parse_format()” within the “uvc_driver.c” program.
This additionally implies that the flaw might be weaponized to end in reminiscence corruption, program crash, or arbitrary code execution.
Additionally patched as a part of Google’s month-to-month security updates is a crucial flaw in Qualcomm’s WLAN element (CVE-2024-45569, CVSS rating: 9.8) that would additionally result in reminiscence corruption.
It is value noting that Google has launched two security patch ranges, 2025-02-01 and 2025-02-05, in order to provide flexibility to Android companions to handle a portion of vulnerabilities which can be comparable throughout all Android units extra rapidly.
“Android companions are inspired to repair all points on this bulletin and use the newest security patch stage,” Google mentioned.
