Google on Monday launched the February 2025 safety patch for Android gadgets. The replace brings essential safety fixes for found vulnerabilities, starting from excessive to vital severity, together with one CVE which is alleged to have been “actively exploited”. A number of flaws goal gadgets powered by Arm, Creativeness Applied sciences, MediaTek, Qualcomm, and Unisoc parts, whereas different vulnerabilities have an effect on normal system parts similar to framework and kernel.
February 2025 Safety Patch for Android
According to Google’s Android Safety Bulletin for February 2025, a complete of 47 found vulnerabilities have been patched with the most recent replace. Following the rollout, the Mountain View-based know-how large has additionally launched the supply code patches for these points to the Android Open Supply Mission (AOSP) repository. Google notes that one of many vulnerabilities, with the identifier CVE-2024-53104, is said to the USB Video Class (UVC) driver subcomponent and could also be “underneath restricted, focused exploitation”.
With a excessive severity and a CVSS rating of seven.8, it may result in “bodily escalation of privilege with no further execution privileges wanted”, as per the bulletin. Whereas Google has not shared another particulars, the Nationwide Vulnerability Database, which is the US authorities’s repository of standards-based vulnerability administration information, describes it as a video subsystem flaw within the Linux kernel.
It occurred when the uvc_parse_format perform tried dealing with UVC_VS_UNDEFINED body however skipped or ignored the undefined frames, parsing them as an alternative. The uvc_parse_streaming perform, which calculates the buffer dimension, created this vulnerability because it tried to calculate the buffer dimension for the anticipated frames however didn’t account for the undefined ones. Thus, its try to write down information steered previous the allotted buffer dimension, creating an out-of-bounds write.
Out of the 47 vulnerabilities patched with the February 2025 replace, just one has been labelled a “vital” severity, CVE-2024-45569. It has a CVSS score of 9.8. The flaw impacts WLAN subcomponent in Qualcomm gadgets. It additionally addresses points associated to framework, kernel, platform, and system.
About The Author
