Google has released patches for 43 vulnerabilities in Android’s March 2025 security update, including two zero-days exploited in targeted attacks.
Serbian authorities have used one of the zero-days, a high-severity information disclosure security vulnerability (CVE-2024-50302) in the Linux kernel’s driver for Human Interface Devices, to unlock confiscated devices.
The flaw was reportedly exploited as part of an Android zero-day exploit chain developed by Israeli digital forensics company Cellebrite to unlock confiscated devices.
The exploit chain—which also includes a USB Video Class zero-day (CVE-2024-53104) patched last month and an ALSA USB-sound driver zero-day)—was found by Amnesty International’s Security Lab in mid-2024 while analyzing the logs found on a device unlocked by Serbian authorities.
Google told BleepingComputer last week that they shared fixes for these flaws with OEM partners in January.
“We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android. Fixes were shared with OEM partners in a partner advisory on January 18,” a Google spokesperson told BleepingComputer.
The second zero-day fixed this month (CVE-2024-43093) is an Android Framework privilege escalation vulnerability that allows local attackers to access sensitive directories due to incorrect unicode normalization by exploiting a file path filter bypass without additional execution privileges or user interaction.
This month’s Android security updates also address 11 vulnerabilities that can let attackers gain remote code execution on vulnerable devices.
Google has issued two sets of security patches, the 2025-03-01 and 2025-03-01 security patch levels. The latter comes with all fixes from the first batch and patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.
Google Pixel devices receive the updates immediately, while other vendors will often take longer to test and fine-tune the security patches for their hardware configurations.
Manufacturers can also prioritize the earlier patch set for quicker updates, which does not necessarily indicate increased exploitation risk.
In November, the company patched another Android zero-day (CVE-2024-43047), which was first tagged as exploited by Google Project Zero in October 2024 and used by the Serbian government in NoviSpy spyware attacks targeting the Android devices of activists, journalists, and protestors.