Google shipped patches with 62 vulnerabilities, two of which are said to have been exploited in the wild.
Below is a list of two high failure vulnerabilities –
CVE-2024-53150 (CVSS score: 7.8) – Defects in USB subcomponents of kernel USB subcomponents that may lead to disclosure CVE-2024-53197 (CVSS score: 7.8) – Defects in privilege escalation in Kernell’s USB subcomponents
“The most serious of these issues is a critical security vulnerability in the system components that does not require additional execution privileges, which could lead to remote escalation of privileges,” Google said in its monthly security bulletin in April 2025.
The tech giant also acknowledged that both shortcomings could have been “limited targeted exploitation.”
It is worth noting that CVE-2024-53197 is rooted in the Linux kernel and was patched alongside CVE-2024-53104 and CVE-2024-50302 last year. All three vulnerabilities were reportedly chained in December 2024 to break into Android phones for Serbian youth activists, according to Amnesty International.
CVE-2024-53104 was addressed by Google in February 2025, while CVE-2024-50302 was restored last month. The latest update fixed all three vulnerabilities and allowed us to effectively plug in the exploit path.
Currently, there are details on how CVE-2024-53150 was exploited in a real attack. Android device users are encouraged to apply updates when Android Original Equipment Manufacturers (OEMS) is released.
Source link
