Google Addresses Android Zero-Day Exploit on Pixel Devices

June 12, 2024

Google has issued patches for a zero-day vulnerability known as CVE-2024-32896, which was being exploited on its Pixel devices. This vulnerability is similar to CVE-2024-29748, which was also exploited by forensics companies. The issue was addressed as part of the development of a duress PIN/password feature and was reported to Google to encourage a wider fix for all Android devices. This fix has now been implemented.

The patch is part of the June update for Android 14 QPR3 and will be included in the Android 15 update for other devices. However, if devices do not update to Android 15, they may not receive the fix as it has not been backported. Google has advised that not all patches are backported.

Google has released patches for a total of 50 security vulnerabilities affecting its Pixel devices. One of these vulnerabilities had already been exploited in targeted attacks as a zero-day. The CVE-2024-32896 vulnerability is an elevation of privilege (EoP) flaw in the Pixel firmware and is considered a high-severity security issue. Google warned that there are indications that CVE-2024-32896 may be under limited, targeted exploitation.

Google has also flagged 44 other security bugs in its June Pixel update bulletin. Seven of these are privilege escalation vulnerabilities considered critical, impacting various subcomponents. Pixel devices, while running Android, receive separate security and bug fix updates from the standard monthly patches distributed to all Android OEMs due to their exclusive features, capabilities, and unique hardware platform directly controlled by Google.

To install the security update, Pixel users are advised to navigate to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process.

In addition to the Pixel-specific vulnerabilities, a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers was also reported as being exploited in the wild. This use-after-free vulnerability impacts all versions of Bifrost and Valhall drivers from r34p0 through r40p0 and can lead to information disclosure and arbitrary code execution.

In April, Google addressed two other Pixel zero-days exploited by forensic firms to unlock phones without a PIN and access data. CVE-2024-29745 was identified as a high-severity information disclosure bug in the Pixel bootloader, while CVE-2024-29748 is a high-severity privilege escalation bug in the Pixel firmware.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.