SB2025030358 - Multiple vulnerabilities in Google Android
Published: March 3, 2025 Updated: March 31, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 39 secuirty vulnerabilities.
1) NULL Pointer Dereference (CVE-ID: CVE-2024-53024)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Display. A local application can execute arbitrary code.
2) Integer overflow (CVE-ID: CVE-2024-53025)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in BT Controller. A local application can perform a denial of service (DoS) attack.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-53011)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to improper input validation in Video Analytics and Processing. A local privileged application can read and manipulate data.
4) Improper Authorization (CVE-ID: CVE-2024-43051)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation in SPS-HLOS. A local application can gain access to sensitive information.
5) Buffer overflow (CVE-ID: CVE-2024-53027)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Host. A remote attacker can perform a denial of service (DoS) attack.
6) Improper Validation of Array Index (CVE-ID: CVE-2024-53014)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
7) Off-by-one (CVE-ID: CVE-2024-46852)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an off-by-one error within the cma_heap_vm_fault() function in drivers/dma-buf/heaps/cma_heap.c. A local user can perform a denial of service (DoS) attack.
8) Buffer over-read (CVE-ID: CVE-2024-49838)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN HOST. A remote attacker can read and manipulate data.
9) Improper Validation of Array Index (CVE-ID: CVE-2024-49836)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Camera. A local application can execute arbitrary code.
10) Improper Validation of Syntactic Correctness of Input (CVE-ID: CVE-2025-20644)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to incorrect error handling within Modem. A local application can perform service disruption.
11) Out-of-bounds write (CVE-ID: CVE-2025-20645)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within KeyInstall. A local application can execute arbitrary code.
12) State Issues (CVE-ID: CVE-2025-22413)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to an error in KVM implementation of the PSCI state handling. A local application can gain access to sensitive information.
13) Memory leak (CVE-ID: CVE-2024-50302)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the hid_alloc_report_buf() function in drivers/hid/hid-core.c. A local user can perform a denial of service (DoS) attack.
Note, the vulnerability is being actively exploited in the wild against Android devices.
14) Information exposure (CVE-ID: CVE-2025-22407)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
15) Improper input validation (CVE-ID: CVE-2025-22406)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
16) Improper input validation (CVE-ID: CVE-2025-0079)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
17) Improper input validation (CVE-ID: CVE-2023-21125)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
18) Improper input validation (CVE-ID: CVE-2025-0081)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.
19) Improper input validation (CVE-ID: CVE-2025-22409)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
20) Improper input validation (CVE-ID: CVE-2025-22412)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
21) Improper input validation (CVE-ID: CVE-2025-22408)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
22) Improper input validation (CVE-ID: CVE-2025-22410)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
23) Improper input validation (CVE-ID: CVE-2025-22403)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
24) Information exposure (CVE-ID: CVE-2025-0093)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
25) Information exposure (CVE-ID: CVE-2024-49728)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
26) Improper input validation (CVE-ID: CVE-2025-22411)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
27) Improper input validation (CVE-ID: CVE-2025-22405)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
28) Information exposure (CVE-ID: CVE-2025-0092)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
29) Improper input validation (CVE-ID: CVE-2025-22404)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
30) Information exposure (CVE-ID: CVE-2025-26417)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
31) Information exposure (CVE-ID: CVE-2025-0082)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
32) Improper input validation (CVE-ID: CVE-2025-0084)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
33) Information exposure (CVE-ID: CVE-2025-0083)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
34) Improper input validation (CVE-ID: CVE-2025-0080)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
35) Improper input validation (CVE-ID: CVE-2025-0078)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
36) Improper input validation (CVE-ID: CVE-2025-0074)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
37) Improper input validation (CVE-ID: CVE-2025-0075)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
38) Improper input validation (CVE-ID: CVE-2024-49740)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.
39) Information exposure (CVE-ID: CVE-2025-0086)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2025-03-01
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b1e6d8d1e393d246a0738c92747a0bef98e67a30
- https://android.googlesource.com/platform/system/bt/+/e7b978841deb331ff5e5849388fa92ee4c40f979
- https://android.googlesource.com/platform/external/dng_sdk/+/7fc02c8d5af37c97b325dc2956f4a6117c145c2f
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/37bcf769c1aa8dfa8e5524858d47f6a80b765fa4
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/090ca53cc13c12e3763777a6a3c7367641e9808f
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4b65cbb339db4d3a7a9a6100cb2e7c9f1ece9271
- https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/ed764e06106adef1cff5178c6df038fd054e7bec
- https://android.googlesource.com/platform/packages/services/Telecomm/+/685c2fc2f6b40bb2113db77da270c7b7220791c4
- https://android.googlesource.com/platform/frameworks/base/+/7ba8c8f63f1b13b127c871749314a242ff022ae2
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/94c565214e3496fbaade9efed8be41d6425ba21e
- https://android.googlesource.com/platform/frameworks/base/+/5916a3de10fa9ca6a9b31f489be1838c0a1613f4
- https://android.googlesource.com/platform/frameworks/native/+/c32d4defe0f4e5cad86437d6672de7a76caf1a79
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5959f8bcf4efe924b0ba4dbcbfe83e602f0eb0ac
- https://android.googlesource.com/platform/frameworks/base/+/bcb1316835dc31f33f0c3b409ee847c389c09d2b
- https://android.googlesource.com/platform/packages/services/Telephony/+/b1ab472f0f56146387d3822318394cb2525ad34c
- https://android.googlesource.com/platform/frameworks/base/+/c1aa9e662464b8fa49765d53a82efa8e06bb176a