Advertisement

Nominations can be submitted for the 2025 CyberScoop 50 awards!

Click here!

Android patches several vulnerabilities in first security update of 2025

The bulletin identifies five critical remote code execution (RCE) vulnerabilities affecting the core components of Android’s system.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(GABRIEL BOUYS/AFP via Getty Images)

Android has released its first security update of the year, disclosing several critical and high-severity vulnerabilities that affect a wide range of Android devices. 

The bulletin identifies five critical remote code execution (RCE) vulnerabilities affecting what Android categorizes as the “system,” which encompasses Android’s core components and underlying architecture. These vulnerabilities could allow attackers to execute code without needing additional privileges. Devices receiving a security patch level dated January 5, 2025, or later are protected from these vulnerabilities.

The vulnerabilities are cataloged as follows: 

  • CVE-2024-43096
  • CVE-2024-43770 
  • CVE-2024-43771
  • CVE-2024-49747 
  • CVE-2024-49748
Advertisement

Samsung, which uses Android as the operating system on its devices, pushed a patch for these vulnerabilities in a December update. 

The vulnerabilities were discovered by researchers at Oppo’s Amber Security Lab. Oppo is a Chinese consumer electronics manufacturer that runs a custom version of Android OS on its devices. 

Additionally, the bulletin gives details on vulnerabilities in components from third-party vendors, including MediaTek and Qualcomm. 

A component vulnerability in MediaTek’s modem chipset (CVE-2024-20154) can allow data to be written to the wrong place because there’s no check to make sure it stays within safe limits. This problem might allow someone to control the device from afar by tricking it into connecting to a fake cell tower. 

One particular Qualcomm vulnerability, cataloged as CVE-2024-21464, arises from a problem in the part of a device that manages data networks and connections. There is an issue when data is being copied without checking if it fits properly into the memory space. This can cause errors in the memory, especially when no active users are connected to the device’s internet capabilities.

Advertisement

Consumers with Google-issued devices, such as the Google Pixel, or Android partners are asked to use these patches promptly and efficiently.

You can read the full bulletin here

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

Emily Crose on the government’s long history with hackers

Vik Phatak on the inherent issues in native cloud firewalls

Addressing vulnerabilities posed by unmanaged devices within the network

GreyNoise’s Andrew Morris on using AI to find zero-days

Government

Technology

Threats

Geopolitics