Google Patches 47 Android Vulnerabilities, Including One Under Active Exploitation

Google has rolled out security updates to fix 47 vulnerabilities in its Android operating system, including one that has been actively exploited in the wild.

The actively targeted flaw, tracked as CVE-2024-53104 (CVSS score: 7.8), is a privilege escalation issue in the USB Video Class (UVC) driver, a kernel component. Google confirmed that successful exploitation could allow an attacker to gain elevated privileges through physical access and noted that the flaw has been subject to "limited, targeted exploitation."

Although Google has not disclosed additional technical details, Linux kernel developer Greg Kroah-Hartman previously identified the vulnerability in December 2024. The flaw, introduced in Linux kernel version 2.6.26 (released in mid-2008), stems from an out-of-bounds write issue in the uvc_parse_format() function within uvc_driver.c. This vulnerability could lead to memory corruption, crashes, or arbitrary code execution.

Additionally, Google addressed a critical security flaw in Qualcomm's WLAN component (CVE-2024-45569, CVSS score: 9.8), which could also lead to memory corruption.

To streamline patch deployment, Google has provided two security patch levels, 2025-02-01 and 2025-02-05, allowing Android partners to prioritize fixes for common vulnerabilities across all devices more efficiently. The company has encouraged partners to implement all fixes and apply the latest security patch level.