Full Report
Serbian security services exploited one of the actively exploited vulnerabilities to break into the phone of a youth activist in Serbia, according to Amnesty International. The post Google addresses 2 actively exploited vulnerabilities in security update appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Actively Exploited Linux Kernel USB Audio Driver Flaws in Android
## CVE Details
- CVE ID: CVE-2024-53197, CVE-2024-53150
- CVSS Score: CVE-2024-53150 carries a CVSS score of 7.1 (High severity). Score for CVE-2024-53197 is not specified but is also categorized as high-severity.
- CWE: Not explicitly listed, but related to the Linux kernel USB audio driver.
## Affected Systems
- Products: Android devices (general), specifically components utilizing the Linux kernel USB audio driver.
- Versions: Unspecified versions prior to the April 2025 security update containing the fixes.
- Configurations: Affects systems running Android components susceptible to the Linux kernel driver flaws.
## Vulnerability Description
Two high-severity vulnerabilities exist within the Linux kernel's USB audio driver component used in Android devices. These flaws were reported to be under "limited, targeted exploitation" by threat actors. Specifically, CVE-2024-53150 allows an attacker to potentially obtain sensitive data. The two vulnerabilities are linked to a zero-day exploit chain utilized by Cellebrite forensics tools.
## Exploitation
- Status: Actively exploited in the wild (limited, targeted exploitation confirmed).
- Complexity: Implied to be low to medium, given documented state actor use.
- Attack Vector: Likely Local or Adjacent, as exploitation often requires a mechanism to interact with the USB driver, though the initial vector for the observed attack chain is not fully detailed (part of a zero-day chain).
## Impact
- Confidentiality: High (CVE-2024-53150 allows obtaining potentially sensitive data).
- Integrity: Likely moderate to high, potential for system compromise given the kernel context.
- Availability: Not specified, but kernel issues often carry availability risks.
## Remediation
### Patches
Google released fixes in the April 2025 Android Security Update, distributed under the following patch levels:
- 2025-04-01
- 2025-04-05
Source code patches for all 62 addressed vulnerabilities (including these two) will be released to the AOSP repository by Wednesday (following the advisory date).
### Workarounds
No specific workarounds are detailed in the provided context, suggesting immediate patching is the primary defense against active exploitation.
## Detection
- Indicators of Compromise: Exploitation documented includes its use by Serbian security services targeting a youth activist using a Cellebrite product embedding the zero-day chain.
- Detection Methods and Tools: Detection strategies would need to focus on abnormal activity related to the USB audio driver interaction, potentially via endpoint security monitoring or kernel-level logging, although specific IOCs are absent.
## References
- Vendor Advisories: Google Android Security Update April 2025 (source dot android dot com slash docs slash security slash bulletin slash 2025-04-01)
- Relevant Links:
- NVD for CVE-2024-53197 (nvd dot nist dot gov slash vuln slash detail slash CVE-2024-53197)
- NVD for CVE-2024-53150 (nvd dot nist dot gov slash vuln slash detail slash CVE-2024-53150)
- Amnesty International Security Lab Report (securitylab dot amnesty dot org slash latest slash 2025 slash 02 slash cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist slash)