.jpg)
Android Security Patch for February 2025
Google's February 2025 Android Security Bulletin states that the most recent update has fixed 47 vulnerabilities that were found. The source code fixes for these problems have also been made available to the Android Open Source Project (AOSP) repository by the Mountain View-based tech behemoth since the rollout. Google reports that one of the vulnerabilities, identified as CVE-2024-53104, may be "under limited, targeted exploitation" and pertains to the USB Video Class (UVC) driver subcomponent.
According to the alert, it has a high severity and a CVSS score of 7.8, which might result in "physical escalation of privilege with no additional execution privileges needed." The National Vulnerability Database, the US government's collection of standards-based vulnerability management data, characterises it as a Linux kernel video subsystem issue, while Google has not disclosed any additional information.
This happened when the uvc_parse_format function attempted to handle the UVC_VS_UNDEFINED frame, but instead parsed the undefined frames by ignoring or skipping them. This vulnerability was caused by the uvc_parse_streaming function, which determines the buffer size. It attempted to determine the buffer size for the expected frames but failed to take the undefined ones into consideration. As a result, its attempt to write data exceeded the buffer size that was allotted.
Only one of the 47 vulnerabilities fixed by the February 2025 update—CVE-2024-45569—has been classified as having a "critical" severity. It has a 9.8 CVSS rating. The WLAN subcomponent in Qualcomm devices is impacted by the defect. It also covers framework, kernel, platform, and system-related concerns.
