Google has launched its month-to-month safety updates for the Android working system to deal with a recognized safety flaw that it mentioned has come beneath lively exploitation within the wild.
The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS rating: 7.8), pertains to a case of privilege escalation within the Android Framework element.
In response to the description of the bug within the NIST Nationwide Vulnerability Database (NVD), it issues a logic error that would result in native escalation of privileges with out requiring any further execution privileges.
“There are indications that CVE-2024-32896 could also be beneath restricted, focused exploitation,” Google mentioned in its Android Safety Bulletin for September 2024.
It is price noting that CVE-2024-32896 was first disclosed in June 2024 as impacting solely the Google-owned Pixel lineup.
There are at the moment no particulars on how the vulnerability is being exploited within the wild, though GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial answer for CVE-2024-29748, one other Android flaw that has been weaponized by forensic firms.
Google later confirmed to The Hacker Information that the influence of CVE-2024-32896 goes past Pixel units to incorporate the complete Android ecosystem and that it is working with unique tools producers (OEMs) to use the fixes the place relevant.
“This vulnerability requires bodily entry to the system to use and interrupts the manufacturing facility reset course of,” Google famous on the time. “Further exploits can be wanted to compromise the system.”
“We’re prioritizing relevant fixes for different Android OEM companions and can roll them out as quickly as they’re obtainable. As a greatest safety observe, customers ought to at all times replace their units every time there are new safety updates obtainable.”
