Android security update contains 2 actively exploited vulnerabilities

Google addressed 43 vulnerabilities affecting Android devices in its March security update, including a pair of software defects reportedly under active exploitation. Google said the two vulnerabilities — CVE-2024-43093 and CVE-2024-50302 — “may be under limited, targeted exploitation.”

The most severe of the flaws under active exploitation, CVE-2024-43093, carries a CVSS score of 7.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog in November. The Android framework privilege escalation vulnerability allows attackers to gain local escalation of privilege without additional execution privileges, but requires user interaction for exploitation. 

Google’s security advisory includes 11 high-severity flaws and 10 critical-severity vulnerabilities affecting the Android system, the most severe of which could lead to remote code execution. Google also addressed nine high-severity vulnerabilities affecting the Android framework. 

Google’s Android security update contains two patch levels — 2025-03-01 and 2025-03-05 — allowing Android partners to easily fix certain common vulnerabilities on different devices. The second patch includes fixes for a trio of high-severity flaws affecting the kernel, a pair of vulnerabilities in MediaTek components and a total of eight high-severity defects in Qualcomm components. 

Pixel device users will get access to the latest Android security updates shortly, yet other Android manufacturers typically release security patches at a slower pace after they’ve customized operating system updates specific to their devices. 

Google said source code patches for the flaws were released to the Android Open Source Project repository. The company routinely encourages all Android partners to fix all issues in its monthly security bulletins, following the most recent security patch level.