Update Details Google has made the February 2025 security patch available for Android devices. This patch corrects a total of 47 vulnerabilities that have been found on various components of Android-powered devices. The critical and high-severity vulnerabilities corrected by the patch have been seen being exploited.
Vulnerabilities Corrected
It fixes vulnerabilities in several key components: Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.
It also affects general system components from the framework to the kernel.
Among the 47 flaws patched, one of the most notable is CVE-2024-53104 which is associated with the USB Video Class (UVC) driver subcomponent, “actively exploited” and which presents the possibility of a “physical escalation of privilege.”
Critical Vulnerability: CVE-2024-45569
The most critical flaw fixed in this update is CVE-2024-45569, which has a CVSS score of 9.8 and is considered a critical severity rating.
This vulnerability affects the WLAN subcomponent on Qualcomm devices. Exploiting this vulnerability will pose considerable risks to devices utilizing Qualcomm hardware.
Impact of Vulnerabilities
The vulnerabilities that are being addressed in this security patch may enable an attacker to acquire elevated privileges or execute arbitrary code.
The CVE-2024-53104 issue, related to UVC driver handling in Linux, could allow attackers to bypass system security measures through an out-of-bounds write.
Details on Exploited Vulnerability
According to Google’s Android Security Bulletin, the vulnerability CVE-2024-53104, linked to the UVC driver, has a high severity with a CVSS score of 7.8. It was found to be under targeted exploitation.
This problem is due to misuse of undefined frames through the uvc_parse_format function in the UVC subsystem, which may lead to an out-of-bounds write and cause a privilege escalation.
The February 2025 Android security patch rolls out critical patches for a significant number of flaws. Although Qualcomm’s WLAN subcomponent flaw poses a significant vulnerability and the fact that the vulnerable UVC, which is inside the Linux kernel, is already targeted, its timely patch appears to mitigate potential threats. Both users and OEMs are suggested to update right away to avert potential exploit attacks.