Google on Tuesday announced a fresh set of Android security updates that address 35 vulnerabilities, including a local privilege escalation bug exploited in attacks.
The exploited flaw, tracked as CVE-2024-32896 (CVSS score of 7.8), is a high-severity issue affecting Android’s Framework component. A logic error in the code could lead to protection bypass, allowing a local attacker to elevate privileges.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in the September 2024 Android security bulletin.
The bug was initially disclosed in June, when Google warned that it had been exploited as a zero-day to target Pixel devices. The internet giant’s June 2024 Pixel security update resolved the vulnerability.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” Google warns again.
CVE-2024-32896 was addressed with the first part of this month’s Android updates, which arrives on devices as the 2024-09-01 security patch level, with fixes for a total of 10 security defects.
All these issues, three in Framework and seven in the System component, are high-severity flaws, Google’s advisory reveals.
The second part of the Android security update rolls out to devices as the 2024-09-05 security patch level with fixes for 25 bugs in Kernel, Arm, Imagination Technologies, Unisoc, and Qualcomm components.
An Android security patch level of 2024-09-05 or later resolves all these vulnerabilities and the flaws patched with previous security updates.
The September 2024 Pixel security update patches six issues, including four critical-severity bugs, all four described as elevation of privilege flaws. Google makes no mention of any of these being exploited in the wild.
While no functional patches were included in the Pixel update, devices running a security patch level of 2024-09-05 address all six vulnerabilities, as well as the security defects resolved with Android’s September 2024 update.
On Monday, Google also published a separate advisory drawing attention to 14 security defects resolved with the Android 15 update. All Android 15 devices running a security patch level of 2024-09-01 or later contain fixes for the resolved bugs.
The internet giant also announced Automotive OS and Wear OS updates. In addition to the flaws described in the September 2024 Android security bulletin, they patch one and four vulnerabilities, respectively.
Related: Google Patches Android Zero-Day Exploited in Targeted Attacks
Related: Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug
Related: Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution
Related: Qualcomm Modem Chip Flaw Exploitable From Android: Researchers
