In its April 2025 security update, Google patched 62 vulnerabilities, including two high-severity zero-days actively exploited in the wild. The vulnerabilities, CVE-2024-53150 and CVE-2024-53197, both involve the USB sub-component of the Linux kernel. CVE-2024-53150, with a CVSS score of 7.8, is an out-of-bounds flaw that could lead to information disclosure. CVE-2024-53197, also with a CVSS score of 7.8, is a privilege escalation flaw that allows attackers to gain unauthorized privileges.
The vulnerabilities are believed to have been targeted in limited, targeted attacks, though no details have been provided on specific exploitations.
CVE-2024-53197 has a deeper history, as it was originally patched in the Linux kernel last year, alongside two other vulnerabilities. These flaws, CVE-2024-53104 and CVE-2024-50302, were chained together to exploit a Serbian activist’s Android phone in December 2024. Google had already patched CVE-2024-53104 in February 2025 and CVE-2024-50302 in March, but the latest Android update resolves all three issues.
CVE-2024-53150 remains a concern as no details have emerged about its exploitation in real-world attacks.
Android users are urged to apply updates as soon as they are available from their device manufacturers. Google addressed this flaw by fixing an ALSA USB-audio vulnerability that could trigger out-of-bounds reads when detecting clock sources. This issue stemmed from invalid descriptor lengths and was resolved by adding sanity checks for safer memory access.
Additionally, the updates also include patches for other vulnerabilities in Android, including CVE-2024-53104, a zero-day flaw exploited earlier in the year. Google continues to address security concerns promptly, releasing updates in April 2025 to mitigate potential risks. These updates highlight the ongoing importance of securing mobile devices and the effectiveness of timely security patches in addressing known vulnerabilities.
