Google has shipped patches to handle 47 safety flaws in its Android working system, together with one it mentioned has come underneath lively exploitation within the wild.
The vulnerability in query is CVE-2024-53104 (CVSS rating: 7.8), which has been described as a case of privilege escalation in a kernel part often called the USB Video Class (UVC) driver.
Profitable exploitation of the flaw might result in bodily escalation of privilege, Google mentioned, noting that it is conscious that it could be underneath “restricted, focused exploitation.”
Whereas no different technical particulars have been provided, Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted within the Linux kernel and that it was launched in model 2.6.26, which was launched in mid-2008.
Particularly, it has to do with an out-of-bounds write situation that might come up because of parsing frames of sort UVC_VS_UNDEFINED in a operate named “uvc_parse_format()” within the “uvc_driver.c” program.
This additionally implies that the flaw may very well be weaponized to lead to reminiscence corruption, program crash, or arbitrary code execution.
Additionally patched as a part of Google’s month-to-month safety updates is a vital flaw in Qualcomm’s WLAN part (CVE-2024-45569, CVSS rating: 9.8) that might additionally result in reminiscence corruption.
It is price noting that Google has launched two safety patch ranges, 2025-02-01 and 2025-02-05, in order to provide flexibility to Android companions to handle a portion of vulnerabilities which are comparable throughout all Android gadgets extra shortly.
“Android companions are inspired to repair all points on this bulletin and use the newest safety patch degree,” Google mentioned.