One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8646826 |
| Date de publication | 2025-02-04 20:21:09 (vue: 2025-02-04 14:53:34) |
| Titre | Google Fixes Android Kernel Zero-Day Exploit Actively Used In Attacks |
| Texte | Google on Monday released its February 2025 security patches, which address 48 vulnerabilities, including a critical zero-day vulnerability affecting the Android kernel that was being actively exploited in attacks.
Tracked as CVE-2024-53104, the zero-day flaw has been described as a high-severity issue affecting the Android Kernel\'s USB Video Class (UVC) driver.
What\'s the vulnerability?
This vulnerability is a privilege escalation security flaw in Android\'s USB Video Class driver, which if exploited, can allow an authenticated attacker to elevate privileges in low-complexity attacks on targeted devices.
The zero-day flaw resides in the uvc_parse_format function. Improper parsing of UVC_VS_UNDEFINED type frames can cause the buffer size of frames to be miscalculated.
This can lead to out-of-bounds writes since frames of this type were not considered when calculating the frame buffer size in uvc_parse_streaming.
This can potentially allow attackers to execute arbitrary code on a vulnerable Android phone or trigger denial-of-service conditions.
“In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming,” reads the advisory.
“There are indications that CVE-2024-36971 may be under limited, targeted exploitation”, the search giant noted in its February 2025 monthly Android security advisory.
Additionally, Google addressed a critical security flaw, CVE-2024-45569 (CVSS score of 9.8), in Qualcomm\'s WLAN component. Qualcomm states this flaw is a memory corruption issue caused by an Improper Validation of the Array Index in WLAN Host Communication when parsing the ML IE due to invalid frame content.
Patches Released
Google has released two patch sets, the 2025-02-01 and 2025-02-05 security patch levels, as part of the February 2025 security updates.
While Google Pixel devices receive security updates immediately, other manufacturers may experience delays due to the additional testing required to ensure the security patches are compatible with various hardware configurations.
Hence, Android users are strongly advised to install the 2025-02-01 and 2025-02-05 security patch levels as soon as possible to safeguard their devices and themselves from major security threats.
Google on Monday released its February 2025 security patches, which address 48 vulnerabilities, including a critical zero-day vulnerability affecting the Android kernel that was being actively exploited in attacks. Tracked as CVE-2024-53104, the zero-day flaw has been described as a high-severity issue affecting the Android Kernel\'s USB Video Class (UVC) driver. What\'s the vu |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 01 and 2025 05 security 2024 2025 36971 45569 53104 account actively additional additionally address addressed advised advisory affecting allow android arbitrary are array attacker attackers attacks authenticated been being bounds buffer calculating can cause caused class code communication compatible complexity component conditions configurations considered content corruption critical cve cvss day delays denial described devices driver due elevate ensure escalation execute experience exploit exploitation” exploited february fixes flaw following format frame frames from function giant noted in google hardware has hence high host immediately improper including index indications install invalid issue its kernel lead levels limited linux low major manufacturers may media: memory miscalculated monday monthly not other out parse parsing part patch patches phone pixel possible potentially privilege privileges qualcomm reads receive released required resides resolved: safeguard score search security service sets severity since size skip soon states streaming strongly taken targeted testing themselves the 2025 threats tracked trigger two type undefined under updates usb used users uvc uvcvideo: validation various video vulnerabilities vulnerability vulnerable what when which wlan writes zero the “in “there |
| Tags | Vulnerability Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.