Google has released security updates addressing 47 vulnerabilities in Android, with one critical flaw already being exploited in the wild. The actively targeted vulnerability, identified as CVE-2024-53104 with a CVSS score of 7.8, affects the USB Video Class (UVC) driver in the kernel component.

The vulnerability, which enables privilege escalation, traces back to the Linux kernel version 2.6.26 from 2008. Linux kernel developer Greg Kroah-Hartman identified that the flaw stems from an out-of-bounds write condition in the “uvc_parse_format()” function within “uvc_driver.c” when processing UVC_VS_UNDEFINED frames. This could potentially lead to memory corruption, system crashes, or arbitrary code execution.

While the exact threat actors exploiting this vulnerability remain unknown, its capability for “physical” privilege escalation suggests possible abuse by forensic data extraction tools, according to GrapheneOS.

The security update also addresses a critical vulnerability in Qualcomm’s WLAN component (CVE-2024-45569, CVSS score: 9.8), which poses memory corruption risks. Google has implemented two security patch levels (2025-02-01 and 2025-02-05) to allow Android partners flexibility in addressing these vulnerabilities efficiently across devices.