Google has released its February Android security updates, including a fix for a high-severity kernel-level vulnerability, which is suspected to be in use by targeted exploits.
The flaw, CVE-2024-53104, is an intriguing Linux kernel flaw in its USB video-class driver code. There’s not a lot of detail about the bug, other than the fix is to skip the parsing of undefined video frames that would otherwise cause the kernel to write to memory it’s not supposed to, which could be used to crash or fully hijack a device.
What’s interesting is that this driver code is supposed to mainly handle USB cameras and similar video sources. Thus, exploitation potentially involves connecting some malicious hardware that feeds bad data into the system. Google indicated the flaw can be used to achieve “physical escalation of privilege with no additional execution privileges needed,” which to us sounds like someone being able to plug a malicious gadget – perhaps something law enforcement might use – into a vulnerable Android device and taking it over. Very curious.
CVE-2024-53104 may be under limited, targeted exploitation
“There are indications that CVE-2024-53104 may be under limited, targeted exploitation,” Google said in its advisory. We note that a patch to address the hole in the open source kernel was accepted at the end of last year.
Of the 46 patches pushed out by Google this month, only one is rated as “critical” by the ad slinger: CVE-2024-45569, with a CVSS rating of 9.8 out of 10. The flaw is a classic failure to check the length of an array in Qualcomm’s wireless LAN stack, triggered by the processing of network management frames over the air, allowing privileged remote code execution to be achieved, or crashing the device. Ouch.
Google notes the severity of all other flaws in the advisory is “high.” The only other kernel issue – CVE-2025-0088 – addresses a race condition in which the system page tables can be changed; that could be exploited by a rogue app to gain control of the device.
In all, Qualcomm kit got 10 patches, four of which were related to problems with its camera drivers. MediaTek devices received five patches and Imagination Technologies had four, in the latter case all for its PowerVR-GPU engine.
As ever with Android patches, it’s the users of Google’s Pixel mobile platform who will get the first chance to download the update, with other manufacturers following behind. Samsung has just put out its January patches and some manufacturers are even more tardy. ®
Navigating Netgear alerts
Android users aren’t the only ones who should get patching this week. Netgear has emitted several critical fixes for unauthenticated remote code execution and authentication bypass flaws.
Three routers in its Nighthawk gaming range need firmware updates, and the XR1000, XR1000v2, and XR500 models are all affected. Netgear warns this unauthenticated remote code execution vulnerability, rated CVSS 9.8, could allow attackers to take control of unpatched devices. The find came from Netgear’s Bug Crowd bounty program.
In addition, three of Netgear’s Wi-Fi 6 access points – WAX206, WAX214v2, and WAX220 – require urgent fixes for a critical authentication bypass flaw, rated CVSS 9.6.
Netgear urges an immediate patching session, either using its Orbi, Nighthawk, or Insight apps.