Android safety updates this month patch 46 vulnerabilities, together with a high-severity distant code execution (RCE) exploited in focused assaults.
The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weak point within the Linux kernel’s community route administration. It requires System execution privileges for profitable exploitation and permits altering the habits of sure community connections.
Google says that “there are indications that CVE-2024-36971 could also be underneath restricted, focused exploitation,” with risk actors probably exploiting to realize arbitrary code execution with out consumer interplay on unpatched units.
Clément Lecigne, a safety researcher from Google’s Menace Evaluation Group (TAG), was tagged because the one who found and reported this zero-day vulnerability.
Regardless that Google has but to supply particulars about how the flaw is being exploited and what risk actor is behind the assaults, Google TAG safety researchers steadily establish and disclose zero-days utilized in state-sponsored surveillance software program assaults to focus on high-profile people.
“Supply code patches for these points might be launched to the Android Open Supply Venture (AOSP) repository within the subsequent 48 hours,” explains the advisory.
Earlier this 12 months, Google patched one other zero-day exploited in assaults: a high-severity elevation of privilege (EoP) flaw within the Pixel firmware, tracked as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS (which discovered and reported the flaw).
Forensic corporations exploited this vulnerability to unlock Android units and not using a PIN and achieve entry to the saved knowledge.
Google has launched two patch units for the August safety updates, the 2024-08-01 and 2024-08-05 safety patch ranges. The latter contains all the safety fixes from the primary set and extra patches for third-party closed-source and Kernel elements, like a crucial vulnerability (CVE-2024-23350) in a Qualcomm closed-source element.
Notably, not all Android units would possibly want safety vulnerabilities that apply to the 2024-08-05 patch degree. Machine distributors might also prioritize deploying the preliminary patch degree to streamline the replace course of. Nonetheless, this doesn’t essentially point out an elevated danger of potential exploitation.
It is essential to notice that whereas Google Pixel units obtain month-to-month safety updates instantly after launch, different producers could require a while earlier than rolling out the patches. The delay is important for added testing of the safety patches to make sure compatibility with numerous {hardware} configurations.