Google on Monday announced the first set of Android security updates for 2025, which include patches for 36 vulnerabilities, including five critical-severity bugs in the System component.
As usual, the update is divided into two parts, with the first arriving on devices as the 2025-01-01 security patch level and containing fixes for 24 vulnerabilities in Android’s Framework, Media Framework, and System components.
Tracked as CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, and CVE-2024-49748, the five critical issues are described as remote code execution bugs and affect Android versions 12, 12L, 13, 14, and 15.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed,” Google notes in its advisory.
The update also resolves nine high-severity flaws in the System component, nine in Framework, and one in Media Framework. These vulnerabilities could lead to elevation of privilege, information disclosure, remote code execution, and denial-of-service.
The second part of the update, which arrives on devices as the 2025-01-05 security patch level, contains patches for 12 security defects in the Imagination Technologies, MediaTek, and Qualcomm components.
Devices running a security patch level of 2025-01-05 contain fixes for all 36 flaws in Android’s January 2025 security bulletin, as well as for those in previous bulletins.
On Tuesday, Google also announced the release of fixes for a critical-severity remote code execution flaw in the baseband subcomponent of Pixel devices, tracked as CVE-2024-53842.
All supported Google devices, the internet giant says, will receive an update to the 2025-01-05 patch level, which includes patches for CVE-2024-53842 and for all the vulnerabilities described in Android’s January 2025 security bulletin.
Devices running the Android Automotive OS and Wear OS platforms will also receive the 2025-01-05 patch level, albeit the updates will not address vulnerabilities specific to those platforms.
Google makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their devices as soon as possible.
Related: Android’s December 2024 Security Update Patches 14 Vulnerabilities
Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered
Related: Android Zero-Day Exploited in Spyware Campaigns, Amnesty International Points to Cellebrite
Related: Google Open Sources Security Patch Validation Tool for Android
