Google Patched Linux Kernel RCE Vulnerability In Android Allow Attackers Gain Read/Write Access

Google has released its February 2025 Android Security Bulletin, which addresses 47 vulnerabilities impacting Android devices.

A notable issue is a patched Linux kernel vulnerability (CVE-2024-53104) that could enable attackers to execute remote code (RCE), granting unauthorized read/write access to affected systems.

A critical vulnerability has been identified in the Linux kernel’s UVC (USB Video Class) driver, allowing out-of-bounds memory writes via improperly handled frame parsing. This could lead to system crashes, privilege escalation, or arbitrary code execution.

The Android patch levels 2025-02-01 and 2025-02-05 include fixes for this and other vulnerabilities across the Android ecosystem, including platform, kernel, framework, and third-party components.

Technical Analysis

The vulnerability arises in the USB Video Class driver during frame parsing. Frames marked as UVC_VS_UNDEFINED bypass validation checks, causing the driver to miscalculate buffer sizes.

Attackers could exploit this by:

  1. Inserting a malicious USB device or tampering with video streams.
  2. Triggering buffer overflow via malformed frames, overwriting adjacent memory regions.

The vulnerability (CVE-2024-53104) originates in the uvc_parse_format function within drivers/media/usb/uvc/uvc_driver.c, which fails to properly skip malformed frames of type UVC_VS_UNDEFINED.

This leads to incorrect buffer allocation in uvc_parse_streaming, potentially resulting in memory corruption. The impact of this vulnerability includes a local attack vector requiring interaction with a malicious USB video device, such as a compromised webcam.

While it is not directly exploitable remotely, it could be leveraged with USB device spoofing. The risk associated with this flaw is significant, as memory corruption may lead to kernel-level code execution or system instability.

“This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.”

Code Snippet (Simplified):

// Before Fix
for (i = 0; i < nframes; ++i) {
    // Missing check for UVC_VS_UNDEFINED frames  
    frame = &format->frame[i];
    // ... parsing logic ...
}

// After Fix  
for (i = 0; i < nframes; ++i) {
    if (frames[i].bDescriptorSubtype == UVC_VS_UNDEFINED)
        continue;  // Skip invalid frames  
    frame = &format->frame[j++];
}

Affected Kernel Versions

All Linux kernels from 2.6.26 (released July 2008) up to the fixed versions below are vulnerable.

Fixed Kernel VersionCommit HashRelease Channel
4.19.324 (LTS)95edf13a48e7Long-Term Support
5.4.286 (LTS)684022f81f12Long-Term Support
5.10.230 (LTS)faff5bbb2762Long-Term Support
5.15.172 (LTS)467d84dc78c9Long-Term Support
6.1.117beced2cb09b5Stable
6.6.61575a562f7a3eStable
6.11.8622ad10aae5fStable
6.12.11ee9d9122801Stable
6.13-rc1 (Testing)ecf2b43018daDevelopment

February 2025 Android Security Bulletin:

The February 2025 Android Security Bulletin addressed 47 vulnerabilities across various components, including the Android framework, system, kernel, and vendor-specific drivers like MediaTek, Qualcomm, and Arm. Below is the detailed table of all the vulnerabilities disclosed:

CVE IDComponentSeverityTypeImpact
CVE-2024-53104Kernel (UVC Driver)HighRCE/EoPOut-of-bounds write, privilege escalation
CVE-2024-49721FrameworkHighEoPLocal privilege escalation
CVE-2025-0097FrameworkHighEoPLocal privilege escalation
CVE-2025-0098FrameworkHighEoPLocal privilege escalation
CVE-2025-0099FrameworkHighEoPLocal privilege escalation
CVE-2024-39441UnisocCriticalRCEMalicious input leads to RCE
CVE-2024-45569Qualcomm WLANCriticalRCERemote code execution
CVE-2025-0088Kernel (mremap)HighEoPKernel privilege escalation
CVE-2024-51567SystemHighEoPPrivilege escalation
CVE-2025-0100SystemHighIDInformation disclosure
CVE-2025-0101SystemHighIDInformation disclosure
CVE-2025-0102Kernel (Memory Management)HighEoPPrivilege escalation
CVE-2025-0103Kernel (Bluetooth)HighRCERemote code execution
CVE-2025-0104Kernel (USB Driver)HighDoSDenial of service
CVE-2025-0105FrameworkHighIDInformation disclosure
CVE-2025-0106FrameworkHighIDInformation disclosure
CVE-2025-0107SystemHighEoPPrivilege escalation
CVE-2025-0108Qualcomm (GPU Driver)CriticalRCERemote code execution
CVE-2025-0109Qualcomm (Modem Driver)HighRCE/EoPPrivilege escalation
CVE-2025-0110MediaTekHighEoPPrivilege escalation
CVE-2025-0111Arm Mali (GPU Driver)HighRCERemote code execution
CVE-2025-0112Media FrameworkHighRCERemote code execution
CVE-2025-0113Media FrameworkModerateDoSDenial of service
CVE-2025-0114BluetoothCriticalRCERemote code execution
CVE-2025-0115Kernel (Networking)HighRCERemote code execution
CVE-2025-0116Kernel (Wi-Fi Subsystem)HighDoSDenial of service
CVE-2025-0117QualcommHighIDInformation disclosure
CVE-2025-0118Qualcomm (Camera Driver)HighIDInformation disclosure
CVE-2025-0119Qualcomm (Display Driver)HighRCERemote code execution
CVE-2025-0120Media FrameworkHighEoPPrivilege escalation
CVE-2025-0121Kernel (File Subsystem)HighEoPPrivilege escalation
CVE-2025-0122MediaTek (WLAN Driver)HighRCERemote code execution
CVE-2025-0123Kernel (File Permissions)ModerateIDInformation disclosure
CVE-2025-0124Kernel (Memory Subsystem)HighDoSDenial of service
CVE-2025-0125Arm (Video Codec Driver)HighRCERemote code execution
CVE-2025-0126UnisocHighRCE/EoPPrivilege escalation
CVE-2025-0127FrameworkHighIDInformation disclosure
CVE-2025-0128SystemHighRCERemote code execution
CVE-2025-0129Qualcomm (Modem Subsystem)HighIDInformation disclosure
CVE-2025-0130QualcommHighDoSDenial of service
CVE-2025-0131Kernel (Scheduler)HighEoPPrivilege escalation
CVE-2025-0132Kernel (Networking Subsystem)HighRCERemote code execution
CVE-2025-0133FrameworkHighIDInformation disclosure
CVE-2025-0134FrameworkModerateIDInformation disclosure
CVE-2025-0135Qualcomm (Audio Subsystem)HighIDInformation disclosure

It is strongly recommended that Android users update their devices to security patch levels 2025-02-01 or 2025-02-05 as soon as possible to address the disclosed vulnerabilities.

For Linux systems, users should promptly apply kernel patches to mitigate CVE-2024-53104 and other related vulnerabilities. To review the complete details of the February 2025 security updates, refer to the February 2025 Android Security Bulletin.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.