A newly disclosed high-severity Android vulnerability (CVE-2024-50302) has been actively used by Serbian authorities to unlock confiscated devices. The flaw, found in the Linux kernel’s Human Interface Device (HID) driver, was leveraged in an exploit chain developed by the Israeli digital forensics company Cellebrite. This vulnerability was identified in mid-2024 by Amnesty International’s Security Lab while analyzing logs from a compromised device.
Google patched CVE-2024-50302 in its March 2025 security update, which addressed a total of 43 vulnerabilities, including another actively exploited zero-day (CVE-2024-43093) affecting Android’s Framework. Google had already shared patches with OEMs in January 2025.
On March 4th, The Cyberseucirty and Infrastructure Security Agency (CISA) added CVE-2024-50302 to its known exploited vulnerabilities catalog.
Technical Details
CVE-2024-50302 is an information disclosure vulnerability in the Linux kernel’s HID driver that allows unauthorized access to kernel memory via a specially crafted report buffer. The vulnerability was actively exploited as part of a Cellebrite-developed exploit chain that also included:
- CVE-2024-53104: A USB Video Class zero-day (patched in February 2025)
- An ALSA USB-sound driver zero-day (not yet publicly detailed)
When combined, these exploits enabled forensic tools to bypass security measures and extract data from locked Android devices. Google has since patched the vulnerability, and the fix is included in the March 5, 2025, security update.
For more details, please read Android’s March 2025 security bulletin.
Impact
- Targeted Exploitation: The zero-day was specifically used by law enforcement agencies, raising concerns over government surveillance and the potential misuse of forensic tools.
- Potential for Widespread Abuse: While currently attributed to law enforcement use, similar vulnerabilities have historically been leveraged by malicious actors once publicly disclosed.
- Device Security Risks: Android users running outdated security patches remain at risk, particularly those using devices from manufacturers that delay patch rollouts.
Mitigation & Recommendations
Update Devices Immediately: Users and organizations should apply the latest 2025-03-05 security patch to mitigate this and other vulnerabilities.
Monitor Device Integrity: Implement Mobile Threat Defense (MTD) solutions to detect unauthorized access attempts.
Restrict USB Access: Disable untrusted USB peripherals on high-risk devices to reduce attack surface exposure.
Employ Encryption & Secure Boot: Full-disk encryption and enabling secure boot can help mitigate forensic bypass attempts.
