February 3, 2025 By Sergiu Gatlan
The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability that has been exploited in the wild.
This high-severity zero-day (tracked as CVE-2024-53104) is a privilege escalation security flaw in the Android Kernel's USB Video Class driver that allows authenticated local threat actors to elevate privileges in low-complexity attacks.
The issue occurs because the driver does not accurately parse frames of the type UVC_VS_UNDEFINED within the uvc_parse_format function. As a result, the frame buffer size is miscalculated, leading to potential out-of-bounds writes that can be exploited in arbitrary code execution or denial-of-service attacks.
In addition to this actively exploited zero-day bug, the February 2025 Android security updates also fix a critical security flaw in Qualcomm's WLAN component.
Qualcomm describes this critical flaw (CVE-2024-45569) as a firmware memory corruption issue caused by an Improper Validation of Array Index weakness in WLAN host communication when parsing the ML IE due to invalid frame content.
CVE-2024-45569 can be exploited by remote attackers to potentially execute arbitrary code or commands, read or modify memory, and trigger crashes in low-complexity attacks that don't require privileges or user interaction.
