Google has shipped patches to deal with 47 safety flaws in its Android working system, together with one it stated has come underneath energetic exploitation within the wild.
The vulnerability in query is CVE-2024-53104 (CVSS rating: 7.8), which has been described as a case of privilege escalation in a kernel element often called the USB Video Class (UVC) driver.
Profitable exploitation of the flaw may result in bodily escalation of privilege, Google stated, noting that it is conscious that it might be underneath “restricted, focused exploitation.”
Whereas no different technical particulars have been provided, Linux kernel developer Greg Kroah-Hartman revealed in early December 2024 that the vulnerability is rooted within the Linux kernel and that it was launched in version 2.6.26, which was released in mid-2008.
Particularly, it has to do with an out-of-bounds write condition that would come up because of parsing frames of sort UVC_VS_UNDEFINED in a operate named “uvc_parse_format()” within the “uvc_driver.c” program.
This additionally signifies that the flaw might be weaponized to lead to reminiscence corruption, program crash, or arbitrary code execution.
It is not presently not clear who’s behind the exploitation of the vulnerability, though the truth that it may facilitate “bodily” privilege escalation suggests attainable misuse by forensic knowledge extraction instruments, per GrapheneOS.
Additionally patched as a part of Google’s month-to-month safety updates is a important flaw in Qualcomm’s WLAN element (CVE-2024-45569, CVSS rating: 9.8) that would additionally result in reminiscence corruption.
It is price noting that Google has launched two safety patch ranges, 2025-02-01 and 2025-02-05, in order to offer flexibility to Android companions to deal with a portion of vulnerabilities which might be related throughout all Android gadgets extra rapidly.
“Android companions are inspired to repair all points on this bulletin and use the newest safety patch degree,” Google stated.
Replace
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added CVE-2024-53104 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to patch the Linux kernel bug by February 26, 2025.
Source link