Google has released monthly security updates for its Android operating system aimed at fixing a known security flaw that it says has been widely exploited in the wild.
The high severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), involves an elevation of privilege instance in an Android Framework component.
According to description about the bug in the NIST National Vulnerability Database (NVD), it’s a logic bug that can lead to a local elevation of privilege without requiring any additional execution privileges.
“There are indications that CVE-2024-32896 may be in limited, targeted exploitation,” Google said in the September 2024 Android Security Bulletin.
It should be noted that CVE-2024-32896 was first published in June 2024 as affecting only the Google-owned Pixel line.
There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS developers have revealed that CVE-2024-32896 plugs into a partial fix for CVE-2024-29748, another Android flaw that has been exploited by criminal companies.
Google later confirmed to The Hacker News that the impact of CVE-2024-32896 extends beyond Pixel devices to the entire Android ecosystem and that it is working with original equipment manufacturers (OEMs) to apply fixes where possible.
“This vulnerability requires physical access to the device to exploit and interrupts the factory reset process.” — Google noted at that time. “Additional exploits will be required to compromise the device.”
“We are prioritizing suitable fixes for other Android OEM partners and will release them as soon as they are available. As a security best practice, users should always update their devices when new security updates become available.”
