Replace June 13, 13:01 EDT: GrapheneOS says CVE-2024-32896 is identical as CVE-2024-29748. Google added a brand new CVE ID to trace the Pixel repair for CVE-2024-29748, a vulnerability exploited by a number of forensics corporations, as BleepingComputer reported in April.
“It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack. We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android which is now done,” GrapheneOS stated.
“It’s fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they eventually update to Android 15. If they don’t update to Android 15, they probably won’t get the fix, since it has not been backported. Not all patches are backported.”
The title has been revised to point out these are Pixel-specific updates. Unique story under.
Google has launched patches for 50 safety vulnerabilities impacting its Pixel units and warned that one in all them had already been exploited in focused assaults as a zero-day.
Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw within the Pixel firmware has been rated a high-severity safety concern.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” the corporate warned this Tuesday.
“All supported Google devices will receive an update to the 2024-06-05 patch level. We encourage all customers to accept these updates to their devices.”
Google tagged 44 different safety bugs on this month’s Pixel replace bulletin, seven of that are privilege escalation vulnerabilities thought of important and affect numerous subcomponents.
Whereas Pixel units additionally run Android, they obtain separate safety and bug repair updates from the usual month-to-month patches distributed to all Android OEMs due to their unique options and capabilities and the distinctive {hardware} platform instantly managed by Google.
You could find extra particulars on the June 2024 updates for the Pixel within the safety bulletin devoted to Google’s personal smartphone vary.
To use the safety replace, Pixel customers should go to Settings > Safety & privateness > System & updates > Safety replace, faucet Set up, and restart the machine to finish the replace course of.
Earlier this month, Arm warned of a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers exploited within the wild.
This use-after-free vulnerability (UAF) impacts all variations of Bifrost and Valhall drivers from r34p0 by means of r40p0, and it may be exploited in assaults that result in data disclosure and arbitrary code execution.
In April, Google fastened two different Pixel zero-days exploited by forensic corporations to unlock telephones and not using a PIN and entry the info. CVE-2024-29745 was tagged as a high-severity data disclosure bug within the Pixel bootloader, whereas CVE-2024-29748 is a high-severity privilege escalation bug within the Pixel firmware.
