Google releases March 2025 Android security update, fixes two actively exploited flaws
Take action: Two actively exploited and multiple critical flaws patched in this release. Plan to update your Android OS as soon as your vendor releases an update for your phone. Depending on the vendor you might wait for some weeks/months before the update is released for your phone.
Learn More
Google has released its March 2025 Android Security Bulletin, addressing a total of 43 vulnerabilities affecting Android devices, including two flaws that are currently under active exploitation.
The security update was published on March 3, 2025, and contains patches for vulnerabilities ranging from high to critical severity.
Vulnerabilities "under limited, targeted exploitation":
- CVE-2024-43093 (CVSS score 7.8) - Privilege escalation flaw in the Android Framework. This vulnerability has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) known exploited vulnerabilities catalog since November. It requires user interaction for exploitation but can allow attackers to gain local escalation of privilege without additional execution privileges. This vulnerability affects Android versions 12, 12L, 13, 14, and 15, and is also included in the Google Play system updates affecting the Documents UI component.
- CVE-2024-50302 (CVSS score 5.5) - Information disclosure vulnerability in the HID subcomponent of the kernel.
The March update includes 10 critical-severity vulnerabilities affecting the Android System component:
- CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, and CVE-2025-22412: All rated as critical remote code execution vulnerabilities that require no additional execution privileges to exploit.
- CVE-2025-22409: A critical escalation of privilege vulnerability.
- CVE-2025-0081: A critical denial of service vulnerability affecting Android 12, 12L, 13, 14, and 15.
The bulletin includes two patch levels to facilitate a more flexible update process for Android partners:
- 2025-03-01 Patch Level: Addresses vulnerabilities in Android Framework and System components.
- 2025-03-05 Patch Level: Includes additional fixes for:
- Three high-severity vulnerabilities in the kernel
- Two high-severity vulnerabilities in MediaTek components
- Eight high-severity vulnerabilities in Qualcomm components (five open-source and three closed-source)
Pixel device users will receive these security updates immediately, other Android manufacturers typically release security patches at a slower pace after customizing operating system updates for their specific devices.
Google encourages all Android partners to address all issues in this monthly security bulletin by implementing the most recent security patch level.
