Summary: Google has patched a high-severity privilege escalation vulnerability in its Android operating system, tracked as CVE-2024-32896, which is currently being exploited in the wild. The vulnerability allows for local escalation of privileges with user interaction required for exploitation.
Threat Actor: Unknown | unknown
Victim: Google Android users | Google Android users
Key Point :
- The vulnerability CVE-2024-32896 has a CVSS score of 7.8 and is under active exploitation.
- Exploitation requires user interaction and is linked to a logic error in the Android Framework component.
- The issue was addressed in the September 2024 Android Security Bulletin, with a full fix included in Android 14 QPR3.
- GrapheneOS maintainers noted that the vulnerability results from the partial mitigation of another flaw, CVE-2024-29748.
Google addressed a high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), in its Android operating system that is under active exploitation in the wild.
The vulnerability CVE-2024-32896 is a privilege escalation in the Android Framework component.
“there is a possible way to bypass due to a logic error in the code.” reads the advisory published by NIST National Vulnerability Database (NVD). “This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.”
Google addressed the issue with the release of the Android Security Bulletin for September 2024.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the Bulletin for September 2024.
In June 2024, Google warned of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the advisory.
As usual, the IT giant did not provide technical information about attacks exploiting the above issue.
The maintainers of GrapheneOS, an Android-based, open source, privacy and security-focused mobile operating system, explained that CVE-2024-32896 results from the partial mitigation of another flaw tracked as CVE-2024-29748.
The experts pointed out that while these vulnerabilities are not exclusive to Pixel devices, the mitigations only addressed the issues on Pixels. The vulnerabilities involve interrupting reboots for wipes via the device admin API, applicable to all devices. CVE-2024-32896 is a full fix included in Android 14 QPR3, while CVE-2024-29748 was a Pixel-specific mitigation in the bootloader. The full solution now allows wipe-without-reboot in Android 14 QPR3.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security Affairs – hacking, CVE-2024-32896)