Google addressed two critical Android zero-day vulnerabilities in Android, identified as CVE-2024-53150 and CVE-2024-53197, through the April 2025 security update. These vulnerabilities were actively exploited, meaning attackers used them in real-world scenarios before the patch.
Google Releases Fixes for Two Android Zero-Day Flaws
On April 8, 2025, Google released its monthly Android security bulletin, patching 62 vulnerabilities, with a focus on two zero-day flaws that were under active exploitation. Zero-day vulnerabilities are particularly concerning as they are exploited before developers can identify and patch them, often by sophisticated actors such as government agencies or cybercriminals. The timing of this update, aligning with the first Monday of April, follows Google’s standard practice, as noted in Android Security Bulletins Overview.
The vulnerabilities, tracked as CVE-2024-53150 and CVE-2024-53197, were part of the Linux kernel’s USB-audio driver, a critical component handling audio over USB connections. This location in the kernel makes them especially dangerous, as kernel-level exploits can bypass many security layers, potentially leading to full device compromise. As Android itself is a derivative of Linux, such flaws touch it as well.
New Android Vulnerabilities: Key Facts
To understand these vulnerabilities, we looked into the National Vulnerability Database (NVD) and related reports. Here’s a breakdown of each issue, including technical details and potential impact.
| CVE-2024-53150 | CVE-2024-53197 | |
| Date of Discovery | Late 2024 | Late 2024 |
| Fix Date | April 8, 2025 | April 8, 2025 |
| What Causes | Out-of-bounds read in USB-audio driver due to insufficient length checks on clock descriptors | Out-of-bounds write in USB-audio driver due to improper bounds checking on bNumConfigurations |
| Vulnerable Versions | Android versions prior to April 2025 patch (e.g., 12, 13, 14, 15) with unpatched Linux kernel | Android versions prior to April 2025 patch (e.g., 12, 13, 14, 15) with unpatched Linux kernel |
The first one, CVE-2024-53150, is an out-of-bounds read in the USB-audio driver, specifically in the ALSA (Advanced Linux Sound Architecture) component of the Linux kernel. Its CVSS score is 7.8, so it’s considered high severity. The problem occurs when the driver traverses clock descriptors—it doesn’t properly check the length (bLength) of each descriptor. A malicious device can exploit this by sending a bogus descriptor that’s too short, causing the driver to read beyond the allocated memory.
According to the vulnerability list entry, this was fixed by adding sanity checks to the validator functions to skip descriptors that don’t meet the minimum length requirements. Out-of-bounds reads can leak sensitive memory data, including user info or system-level secrets. This type of attack would typically be launched through a malicious USB device. Although there aren’t many details on real-world exploitation, reports indicate it’s been used in targeted attacks—likely alongside other bugs for greater effect.
The second vulnerability, CVE-2024-53197, is an out-of-bounds write—again in the USB-audio driver. Like the previous CVE, this one also scores a 7.8 on the CVSS scale, and worse—it’s a zero-click exploit. This one involves handling certain devices like the Extigy and Mbox. Here, an attacker can manipulate the bNumConfigurations value to exceed what the driver expects. That leads to out-of-bounds writes during configuration allocation.
The issue was patched by implementing proper bounds checks in the usb_get_configuration function. This flaw can be used for privilege escalation, potentially letting attackers inject and run arbitrary code in the kernel—yes, with full system privileges. No user interaction is required.
Amnesty International reported that this Android zero-day vulnerability was part of a real-world exploit chain used by Serbian authorities in December 2024. The target? A student activist’s Android phone. But more on that next. The exploit chain included this CVE along with CVE-2024-53104 and CVE-2024-50302, both of which had been patched earlier. This points to a coordinated attack likely involving commercial surveillance tools, such as those provided by Cellebrite.
Real-World Exploitation and Targeted Attacks Suggested
Some reports confirm that both Android zero-day vulnerabilities were used in “limited, targeted exploitation,” likely by state actors or advanced persistent threat groups. The case of the Serbian student activist is particularly notable, where local authorities used these flaws to attempt spyware installation, highlighting the geopolitical implications of such vulnerabilities.
So, government-backed actors are leveraging these flaws for surveillance—adding a layer of complexity, especially for activists and journalists who may be targeted. It also raises questions about the role of forensic tool providers like Cellebrite, which was implicated in developing the exploit chain, leading to their banning Serbia from using their products, as noted in Candid Technology.
From a technical standpoint, both Android zero-day vulnerabilities highlight the challenges of securing kernel-level components, particularly those interfacing with hardware like USB. The USB-audio driver’s complexity, handling various device types, makes it a frequent target, as seen with previous vulnerabilities like CVE-2024-53104, patched in February 2025. Policy-wise, the exploitation by state actors raises concerns about digital rights and privacy, especially in authoritarian contexts.
Mitigation and User Guidance
Google acted quickly in response to these vulnerabilities, releasing patches as part of the April 2025 security update. Devices that have been updated to this patch level are protected. The update includes two patch levels: 2025-04-01 and 2025-04-05.
To stay safe, users are strongly encouraged to take a few important steps. First, check for and install the latest security updates on your Android device. Make sure your patch level is 2025-04-05 or later to ensure you’re covered.
Second, be extra cautious with USB connections — especially when plugging into unfamiliar or untrusted devices. These Android zero-day vulnerabilities are tied to the USB stack, so it’s not the best time to be adventurous with random charging stations.
