Technology Desk, New Delhi. Google on Monday released the February 2025 security patch for Android devices. This update includes important security fixes. These fixes address vulnerabilities that were recently discovered. The severity of these vulnerabilities ranges from high to critical. One of these flaws was also being used by hackers to attack the system. Many flaws target devices running on Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc components. Whereas, some vulnerabilities affect general system components such as framework and kernel.
February 2025 security patch for Android
According to Google’s February 2025 Android Security Bulletin, a total of 47 discovered vulnerabilities have been patched with the latest update. Following the rollout, the Mountain View-based technology giant has also released source code patches for these issues in the Android Open Source Project (AOSP) repository. Google has identified one vulnerability as CVE-2024-53104. The problem is in the part of the software that handles USB video devices. Google says that this vulnerability may be used by attackers in a limited and targeted manner.
According to the bulletin, with a high severity and a CVSS score of 7.8, it “allows anyone to gain high-level access to a system without the need to run any additional programs.” Google hasn’t provided much information about the issue. But the National Vulnerability Database, which is run by the US government, has more details. It says the flaw is in the Linux kernel. Specifically, it’s a flaw in the way it handles video.
What is the flaw?
There was a problem in a part of the software, called uvc_parse_format. This part deals with video formats. The problem was how it handled a specific type of video frame, called UVC_VS_UNDEFINED. The software should have ignored these undefined frames. Instead, it tried to interpret them. Another part of the software, uvc_parse_streaming, calculates how much memory is needed. It made a mistake because it did not consider undefined frames. Because of this mistake, the software tried to write data outside the allocated memory space. This is called an ‘out-of-bounds write’ and is a security vulnerability.
Of the 47 vulnerabilities patched with the February 2025 update, only one is labeled ‘critical’ severity, CVE-2024-45569. It has a CVSS rating of 9.8. This flaw affects the WLAN subcomponent in Qualcomm devices. It also addresses framework, kernel, platform, and system-related issues.
