Update June 13, 13:01 EDT: GrapheneOS says CVE-2024-32896 is the same as CVE-2024-29748. Google added a new CVE ID to track the Pixel fix for CVE-2024-29748, a vulnerability exploited by several forensics companies, as BleepingComputer reported in April.
"It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack. We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android which is now done," GrapheneOS said.
"It's fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they eventually update to Android 15. If they don't update to Android 15, they probably won't get the fix, since it has not been backported. Not all patches are backported."
The title has been revised to show these are Pixel-specific updates. Original story below.
Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been exploited in targeted attacks as a zero-day.
Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue.
"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," the company warned this Tuesday.
"All supported Google devices will receive an update to the 2024-06-05 patch level. We encourage all customers to accept these updates to their devices."
Google tagged 44 other security bugs in this month's Pixel update bulletin, seven of which are privilege escalation vulnerabilities considered critical and impact various subcomponents.
While Pixel devices also run Android, they receive separate security and bug fix updates from the standard monthly patches distributed to all Android OEMs because of their exclusive features and capabilities and the unique hardware platform directly controlled by Google.
You can find more details on the June 2024 updates for the Pixel in the security bulletin dedicated to Google's own smartphone range.
To apply the security update, Pixel users must go to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process.
Earlier this month, Arm warned of a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers exploited in the wild.
This use-after-free vulnerability (UAF) impacts all versions of Bifrost and Valhall drivers from r34p0 through r40p0, and it can be exploited in attacks that lead to information disclosure and arbitrary code execution.
In April, Google fixed two other Pixel zero-days exploited by forensic firms to unlock phones without a PIN and access the data. CVE-2024-29745 was tagged as a high-severity information disclosure bug in the Pixel bootloader, while CVE-2024-29748 is a high-severity privilege escalation bug in the Pixel firmware.
Comments
java007 - 5 months ago
No OTA updates were available through the phone menu, so I sideloaded the latest. Not difficult, but beyond what most casual users would be interested in performing themselves. The updating process has quite a bit of room for improvement by both the carriers and Google.
U_Swimf - 5 months ago
Google controls much of the updating from all Android devices through Play and GMS services among others.
Pixel is no more exclusive now a days than graphene is a forensics company. Or Sentry.io or any other stack
Mr.Tom - 4 months ago
I like how when I went to the system & updates on my Pixel 5a, it said I was Update To Date. I had to press the button to force a check, now it's downloading and installing the 612MB update. So much for auto-updating.