Google Releases April 2025 Security Patch Fixing 62 Vulnerabilities, Including Two Actively Exploited Flaws
Google has rolled out patches addressing 62 security vulnerabilities in its April 2025 Android security bulletin, including two high-severity flaws that have been exploited in the wild.
The critical issues reside in the USB sub-component of the Linux Kernel:
- CVE-2024-53150 (CVSS 7.8): An out-of-bounds read vulnerability that could lead to information disclosure.
- CVE-2024-53197 (CVSS 7.8): A flaw that allows privilege escalation, enabling attackers to gain elevated access.
According to Google, the most severe vulnerability in this update lies in the System component and could allow remote privilege escalation without requiring user interaction or additional execution privileges—a concerning scenario that increases the likelihood of exploitation.
Google noted that both CVE-2024-53150 and CVE-2024-53197 have likely been used in “limited, targeted exploitation.” The company acknowledged ongoing efforts to monitor and address such threats.
Interestingly, CVE-2024-53197 had already been patched previously, alongside CVE-2024-53104 and CVE-2024-50302. All three vulnerabilities were reportedly chained in an attack by unknown actors to compromise the Android device of a Serbian youth activist in December 2024, according to Amnesty International. Google patched CVE-2024-53104 in February 2025, and CVE-2024-50302 was addressed in March 2025. With the latest fix, the full exploit chain has now been closed.
As for CVE-2024-53150, details remain unclear, including who was targeted and how the exploit was carried out. Still, users of Android devices are strongly advised to install security updates promptly once made available by their device manufacturers (OEMs).
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
