Google has released the March Android security bulletin, addressing 44 vulnerabilities, including two that have been actively exploited by threat actors in real-world attacks.
One of these, CVE-2024-43093, is a privilege escalation vulnerability in the Framework component, allowing unauthorized access to the Android/data, Android/obb, and Android/sandbox directories and their subdirectories. Interestingly, Google had already referenced this exploit in its November bulletin but has now issued a renewed warning, though the reasons for this remain unclear.
The second vulnerability, CVE-2024-50302, was discovered in the HID component of the Linux kernel’s USB stack. It enables a local attacker to access uninitialized kernel memory through specially crafted HID reports. This flaw was part of an exploit chain used by the Israeli firm Cellebrite in December 2024 to compromise the smartphone of a Serbian activist. The attack also leveraged CVE-2024-53104 and CVE-2024-53197, granting elevated privileges and facilitating the installation of the NoviSpy surveillance software.
Google has confirmed that both vulnerabilities were exploited in “limited, targeted attacks.” All three Linux kernel vulnerabilities were patched by the end of last year, with CVE-2024-53104 being addressed only in February 2025.
To mitigate these security risks, Google has introduced two distinct patch levels—2025-03-01 and 2025-03-05. This staged approach allows Android device manufacturers to swiftly address a subset of common vulnerabilities while refining protection measures in subsequent updates.
