Multiple Microsoft Products Vulnerabilities
April 8, 2025Google Patches Browsing History Leak in Chrome
April 8, 2025Multiple Microsoft Products Vulnerabilities
April 8, 2025Google Patches Browsing History Leak in Chrome
April 8, 2025Severity
High
Analysis Summary
Google’s April 2025 Android Security Bulletin reveals the discovery and patching of several critical vulnerabilities, including two zero-day flaws—CVE-2024-53150 and CVE-2024-53197—that are actively being exploited in targeted attacks. This marks the third month in a row where emergency patches were required, underscoring the persistent security risks within the Android ecosystem. These vulnerabilities affect a wide range of devices running Android 12 through 15, particularly those that haven't received timely updates. Google's continuous patch cycle highlights the importance of prompt security maintenance across the Android supply chain.
CVE-2024-53150 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel’s ALSA USB-audio driver. It arises due to improper validation of the bLength parameter when processing clock descriptors. This flaw can expose sensitive kernel memory, potentially leading to information disclosure. It affects multiple kernel versions including 5.4.287 through 6.12.2+, (High). While the exploit requires local access, it does not need user interaction, making it a serious risk for compromised or physically accessed devices.
The second vulnerability, CVE-2024-53197, also impacts the ALSA USB-audio driver but targets Extigy and Mbox configurations. It involves a memory allocation mismatch caused by a malicious USB device presenting an invalid bNumConfigurations value. This can lead to out-of-bounds memory access in the usb_destroy_configuration function, potentially resulting in privilege escalation or system crashes. It requires physical access, which is a common attack vector in forensic or surveillance scenarios. Researchers from GrapheneOS have highlighted that conventional device locks may not prevent these attacks, suggesting possible use by spyware vendors like Cellebrite.
In response, Google has released patches for Pixel devices and confirmed that source code updates will be published to the Android Open Source Project (AOSP) within 48 hours. Samsung has also addressed over 60 vulnerabilities in its April 2025 update, showing faster response than in past incidents. The critical fixes are part of the 2025-04-05 patch level, while a preliminary 2025-04-01 patch addresses general issues. Users are urged to update their devices immediately to the latest security patch to mitigate risk. With a 50% increase in zero-day exploits observed in 2023, many linked to espionage and financially motivated actors, the importance of timely patching and strong security posture cannot be overstated.
Impact
- Information Disclosure
- Privilege Escalation
Indicators of Compromise
CVE
CVE-2024-53150
CVE-2024-53197
Affected Vendors
- Linux
Remediation
- Users should update their devices to the latest security patch level, 2025-04-05 or later, to mitigate the risks associated with CVE-2024-53150 and CVE-2024-53197.
- Google has already pushed patches to Pixel devices. Samsung has also released updates addressing over 60 vulnerabilities, including these critical kernel flaws.
- Google plans to release source code patches to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin's publication.
- Device manufacturers and security teams are advised to prioritize the deployment of security patches and ensure devices are regularly updated to maintain protection against actively exploited vulnerabilities.
- Given the sophistication of the exploits, users are encouraged to use additional security measures such as strong passwords, biometric authentication, and device encryption to further safeguard against exploitation.