Google has released its monthly security updates for the Android operating system to address a high-severity vulnerability that has been actively exploited in the wild.
The vulnerability, known as CVE-2024-32896, concerns a case of privilege escalation in the Android Framework component and has a CVSS score of 7.8.
The description of the bug in the NIST National Vulnerability Database (NVD) highlights a logic error that could lead to local escalation of privileges without requiring additional execution privileges.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” Google mentioned in its Android Security Bulletin for September 2024.
The vulnerability was initially reported to affect only the Google Pixel lineup in June 2024.
Further details on the exploitation of the vulnerability are currently unknown, but it is mentioned that it provides a partial fix for another Android flaw, CVE-2024-29748, utilized by forensic companies.
Google confirmed that the impact of CVE-2024-32896 extends beyond Pixel devices to the entire Android ecosystem and is collaborating with OEMs to deploy fixes.
The vulnerability requires physical access to devices for exploitation and disrupts the factory reset process, requiring additional exploits for device compromise.
Users are advised to update their devices whenever new security updates are available as a best security practice.