Android safety updates this month patch 46 vulnerabilities, together with a high-severity distant code execution (RCE) exploited in focused assaults.
The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weak spot within the Linux kernel’s community route administration. It requires System execution privileges for profitable exploitation and permits altering the conduct of sure community connections.
Google says that “there are indications that CVE-2024-36971 could also be underneath restricted, focused exploitation,” with menace actors probably exploiting to achieve arbitrary code execution with out consumer interplay on unpatched gadgets.
Clément Lecigne, a safety researcher from Google’s Menace Evaluation Group (TAG), was tagged because the one who found and reported this zero-day vulnerability.
Despite the fact that Google has but to supply particulars about how the flaw is being exploited and what menace actor is behind the assaults, Google TAG safety researchers steadily determine and disclose zero-days utilized in state-sponsored surveillance software program assaults to focus on high-profile people.
“Supply code patches for these points will likely be launched to the Android Open Supply Venture (AOSP) repository within the subsequent 48 hours,” explains the advisory.
Earlier this yr, Google patched one other zero-day exploited in assaults: a high-severity elevation of privilege (EoP) flaw within the Pixel firmware, tracked as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS (which discovered and reported the flaw).
Forensic corporations exploited this vulnerability to unlock Android gadgets with no PIN and acquire entry to the saved knowledge.
Google has launched two patch units for the August safety updates, the 2024-08-01 and 2024-08-05 safety patch ranges. The latter consists of all the safety fixes from the primary set and extra patches for third-party closed-source and Kernel elements, like a vital vulnerability (CVE-2024-23350) in a Qualcomm closed-source element.
Notably, not all Android gadgets may want safety vulnerabilities that apply to the 2024-08-05 patch stage. Machine distributors can also prioritize deploying the preliminary patch stage to streamline the replace course of. Nonetheless, this doesn’t essentially point out an elevated threat of potential exploitation.
It is vital to notice that whereas Google Pixel gadgets obtain month-to-month safety updates instantly after launch, different producers could require a while earlier than rolling out the patches. The delay is critical for added testing of the safety patches to make sure compatibility with numerous {hardware} configurations.