Android Security Bulletin for April 2025 has 2 more vulnerabilities marked as being exploited in the wild.
GrapheneOS fully prevented exploiting both vulnerabilities for locked devices, made both far harder to exploit while unlocked and already had both patched for a while too.
CVE-2024-53150: heap overflow (read) in a Linux kernel USB sound card driverCVE-2024-53197: heap overflow (write) in a Linux kernel USB sound card driver
These vulnerabilities were being exploited by Cellebrite for data extraction from locked Android devices without GrapheneOS.
We have a post from late February about CVE-2024-53197 and 2 other bugs exploited by Cellebrite which they were blocked from exploiting by GrapheneOS:
https://discuss.grapheneos.org/d/20402-cellebrite-exploits-used-to-target-serbian-student-activist
CVE-2024-53150 is almost certainly part of the same batch of vulnerabilities they’ve been exploiting.
https://discuss.grapheneos.org/d/20401-grapheneos-improvements-to-protection-against-data-extraction-since-2024 covers how we’ve greatly improved the GrapheneOS defenses against these attacks since early 2024. We’re continuing to work on improving it.
We helped get firmware security improvements to Pixels and are advocating for further hardware/firmware changes.
The fact that a small team of dedicated volunteers is delivering an OS with such high standard of quality is outstanding! Thank you GrapheneOS contributors!
This also goes a long way to demonstrate Big Tech and OEMs are not giving a shit about their users/customers.
Several devs are full time and part time paid.
Thanks for the great work!
That is a great success for the GrapheneOS team. Proving they can provide a very secure operating system for everyone.
I agree 100%
