Google has issued its latest security updates for the Android operating system, addressing a high-severity vulnerability that has been actively exploited in the wild. The flaw, identified as CVE-2024-32896 and carrying a CVSS score of 7.8, involves a privilege escalation issue within the Android Framework component.
The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) describes this vulnerability as a logic error that allows local escalation of privileges without needing additional execution permissions.
In its September 2024 Android Security Bulletin, Google confirmed, “There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” Initially disclosed in June 2024, the vulnerability was believed to affect only Google’s Pixel devices.
However, Google has since confirmed that the impact of CVE-2024-32896 extends beyond Pixel devices, affecting the broader Android ecosystem. The company is collaborating with original equipment manufacturers (OEMs) to implement the necessary fixes.
Although specific details on how the vulnerability is being exploited remain undisclosed, GrapheneOS maintainers have indicated that CVE-2024-32896 addresses a partial solution for CVE-2024-29748, another Android vulnerability exploited by forensic companies.
“This vulnerability requires physical access to the device to exploit and disrupts the factory reset process,” Google noted earlier. “Additional exploits would be necessary to fully compromise the device.”
Google emphasized the importance of users applying security updates promptly, stating, “We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever new security updates are available.”
