Google has launched its month-to-month safety updates for the Android working system to handle a identified safety flaw that it mentioned has come beneath energetic exploitation within the wild.
The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS rating: 7.8), pertains to a case of privilege escalation within the Android Framework part.
In keeping with the description of the bug within the NIST Nationwide Vulnerability Database (NVD), it issues a logic error that would result in native escalation of privileges with out requiring any extra execution privileges.
“There are indications that CVE-2024-32896 could also be beneath restricted, focused exploitation,” Google mentioned in its Android Safety Bulletin for September 2024.
It is value noting that CVE-2024-32896 was first disclosed in June 2024 as impacting solely the Google-owned Pixel lineup.
There are at the moment no particulars on how the vulnerability is being exploited within the wild, though GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial resolution for CVE-2024-29748, one other Android flaw that has been weaponized by forensic corporations.
Google later confirmed to The Hacker Information that the influence of CVE-2024-32896 goes past Pixel units to incorporate all the Android ecosystem and that it is working with authentic gear producers (OEMs) to use the fixes the place relevant.
“This vulnerability requires bodily entry to the gadget to take advantage of and interrupts the manufacturing facility reset course of,” Google famous on the time. “Extra exploits could be wanted to compromise the gadget.”
“We’re prioritizing relevant fixes for different Android OEM companions and can roll them out as quickly as they’re obtainable. As a finest safety apply, customers ought to all the time replace their units every time there are new safety updates obtainable.”