In April 2025, Google released its monthly Android Security Bulletin, addressing multiple critical vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. This marks the third consecutive month that Google has issued emergency patches for actively exploited vulnerabilities, underscoring the persistent security challenges within the Android ecosystem.
Critical Vulnerabilities Under Active Exploitation
The April 2025 security update specifically addresses CVE-2024-53150 and CVE-2024-53197, both of which Google confirms may be under limited, targeted exploitation. These vulnerabilities affect devices running Android versions 12 through 15, raising concerns for devices that have not received timely security updates.
CVE-2024-53150: Information Disclosure via Out-of-Bounds Read
CVE-2024-53150 is a significant security threat within the Linux kernel’s ALSA USB-audio driver. The vulnerability arises from the driver’s failure to properly validate the bLength parameter while processing clock descriptors. This oversight leads to an out-of-bounds read vulnerability (CWE-125), potentially exposing sensitive kernel memory contents and compromising system security. The vulnerability carries a CVSS v3.1 base score of 7.1 (High), indicating its serious nature.
CVE-2024-53197: Privilege Escalation via Out-of-Bounds Memory Access
The second actively exploited vulnerability, CVE-2024-53197, also affects the Linux kernel’s ALSA USB-audio driver, specifically impacting Extigy and Mbox device configurations. This flaw occurs when a malicious USB device presents an invalid bNumConfigurations value that exceeds the initially allocated memory. This discrepancy leads to potential out-of-bounds memory access in the usb_destroy_configuration function, which could result in system crashes or privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (High).
Security Implications and Expert Analysis
Security researchers from GrapheneOS have noted that conventional device locks—including passwords, fingerprints, and facial recognition—may not fully protect against exploitation of these flaws. This suggests that even devices with robust security measures could be vulnerable if the underlying system software is compromised.
Experts believe CVE-2024-53197 shares similarities with exploits previously used by digital intelligence companies like Cellebrite, particularly for extracting data from locked devices. This suggests potential connections to sophisticated surveillance tools used in targeted operations, highlighting the need for heightened vigilance among users who may be at risk of such targeted attacks.
Patch Distribution and Recommendations
Google has already pushed patches to Pixel devices, while Samsung has demonstrated an improved response time compared to previous security incidents. Samsung’s April 2025 security update addresses over 60 vulnerabilities in total, including these critical kernel flaws.
The patches have been released in two security patch levels (2025-04-01 and 2025-04-05), with the latter containing the fixes for the actively exploited vulnerabilities. Source code patches will be released to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin’s publication.
Users are strongly advised to update their devices promptly to mitigate the risks associated with these vulnerabilities. To apply the latest update, navigate to Settings > System > Software updates > System update. Alternatively, go to Settings > Security & privacy > System & updates > Security update.
Conclusion
The discovery and patching of these zero-day vulnerabilities highlight the ongoing challenges in maintaining the security of the Android ecosystem. Users must remain vigilant and ensure their devices are updated regularly to protect against potential exploits. The collaboration between security researchers and companies like Google is crucial in identifying and mitigating such threats, thereby enhancing the overall security posture of the Android platform.
