Google has rolled out its latest security patches for the Android operating system, addressing a critical vulnerability that has reportedly been exploited in real-world attacks.
This high-severity flaw, identified as CVE-2024-32896 and carrying a CVSS score of 7.8, involves a privilege escalation issue within the Android Framework.
As detailed in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), this vulnerability arises from a logic error that could allow a local escalation of privileges without needing additional execution permissions.
“Evidence suggests that CVE-2024-32896 may be subject to limited, targeted attacks,” Google mentioned in its September 2024 Android Security Bulletin.
Initially disclosed in June 2024, CVE-2024-32896 was first recognized as affecting only Google’s Pixel devices.
However, specific details on how this vulnerability is being exploited remain undisclosed, though maintainers of GrapheneOS noted that CVE-2024-32896 serves as a partial fix for CVE-2024-29748, another Android vulnerability exploited by forensic firms.
Google has since confirmed to The Hacker News that the reach of CVE-2024-32896 extends beyond Pixel devices, impacting the broader Android ecosystem. The company is collaborating with original equipment manufacturers (OEMs) to ensure that necessary patches are applied across various devices.
“This vulnerability requires physical access to the device to exploit, specifically interrupting the factory reset process,” Google clarified. “Further exploits would be necessary to fully compromise the device.”
“We are prioritizing the rollout of relevant patches to other Android OEM partners and will distribute them as soon as they are ready. To maintain security, users should always update their devices whenever new security patches become available.”