Google releases January 2025 Android patches, fixes multiple critical flaws

The January 2025 Android Security Bulletin, published on January 6, 2025, fixes multiple critical security vulnerabilities affecting Android devices running versions 12 through 15. The most significant vulnerabilities are found in the System component, with five critical Remote Code Execution (RCE) flaws that could allow attackers to execute malicious code remotely without requiring additional privileges.

Critical System Component Vulnerabilities (all rated Critical):

• CVE-2024-43096 (CVSS score not assigned, designated Critical)
• CVE-2024-43770 (CVSS score not assigned, designated Critical)
• CVE-2024-43771 (CVSS score not assigned, designated Critical)
• CVE-2024-49747 (CVSS score not assigned, designated Critical)
• CVE-2024-49748 (CVSS score not assigned, designated Critical)

Additional significant vulnerabilities were identified in vendor-specific components:

MediaTek Components:

• CVE-2024-20154 (CVSS score 8.1, designated Critical) - Affects modem component, allowing potential remote code execution through out-of-bounds memory manipulation
• Multiple high-severity vulnerabilities affecting WLAN, power management, and other components

Qualcomm Components:

• CVE-2024-21464 (High) - Affects kernel network data management
• CVE-2024-45553 (High) - Kernel vulnerability
• CVE-2024-45558 (High) - WLAN vulnerability

Affected Versions:

• Android 12
• Android 12L
• Android 13
• Android 14
• Android 15

Samsung has already pushed patches for some of these vulnerabilities in their December update. Google notes that exploitation of many of these issues is made more difficult by enhancements in newer versions of the Android platform.

Users are urged to update their devices to security patch level 2025-01-05 or later