Google released Android Security Bulletin every month in March 2025, addressing a total of 44 vulnerabilities.
Below is a list of two high failure vulnerabilities –
CVE-2024-43093 – Privilege escalation flaws in the “Android/Data”, “Android/OBB”, and “Android/Sandbox” directories, as well as framework components that can lead to unauthorized access to the respective subdirectories. CVE-2024-50302- Faulty privilege escalation in HID USB components of the Linux kernel. Through specially created HID reports, this could lead to a leak of uninitialized kernel memory by local attackers.
Note that CVE-2024-43093 was previously flagged by Google in its November 2024 security advisory and was actively exploited in the wild. It is not clear why the tech giant has come to issue a second alert.
The Hacker News reached out to Google for further comment. If you’ve heard of it, update the story.
Meanwhile, CVE-2024-50302 is one of three vulnerabilities taken to a zero-day exploit devised by Celebrity to infiltrate the android phones of Serbian youth activists in December 2024.
The exploit includes the use of CVE-2024-53104, CVE-2024-53197, and CVE-2024-50302 to increase privileges and deploy Android Spyware called Novispy.
All three vulnerabilities are in the Linux kernel and were patched late last year. CVE-2024-53104 was addressed to Google on Android last month.
In its advisory, Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 are based on “limited targeted exploitation.”
The Mountain View-based company will release two security patch levels, 2025-03-01 and 2025-03-05, giving Android partners flexibility and address some of the similar vulnerabilities more quickly on all Android devices.
Source link
