Last month, we shared with you the recent directive from the U.S. government requiring all federal employees using a Pixel device to install the latest security update before July 4th or discontinue using the handset. This mandate was issued following the discovery of Known Exploited Vulnerabilities (KEV) listed by CISA (Cybersecurity and Infrastructure Security Agency). Specifically, CVE-2024-32896 was identified as potentially being under targeted exploitation.
Exploiting the CVE-2024-32896 vulnerability could grant an attacker privilege escalation, enabling unauthorized access to sensitive data and actions typically restricted to users with higher privileges. As a zero-day exploit, no immediate patch or fix was available upon its discovery, emphasizing the urgency of addressing this issue promptly.
Google has confirmed that CVE-2024-32896 affects not only Pixel devices but also Samsung Galaxy devices and other Android phones. While Pixel devices have received a patch for this vulnerability, Samsung Galaxy and other Android models are still vulnerable as they have not yet been updated to address this security flaw.
Despite Google’s assurance that additional exploits would be required to compromise a device, GrapheneOS highlights that two vulnerabilities are currently unresolved outside of Pixel devices. Google acknowledged that this flaw remains unpatched beyond Pixel devices and reassured that efforts are underway to prioritize applicable fixes for other Android OEM partners as soon as they become available.
In Samsung’s July security update, three critical Qualcomm vulnerabilities were addressed, which had already been fixed for Pixel handsets in June. Although Samsung attributes delays in disseminating component patches like those for Qualcomm flaws to their complexity compared to software and firmware fixes, Pixel users once again received timely security updates ahead of Samsung users.
Notably, one of the updates included in Samsung’s July security patch addressed a current vulnerability (CVE-2024-31320) flagged by Google as potentially leading to local escalation of privilege without requiring additional execution privileges. Looking ahead, it is hoped that Samsung’s forthcoming August security update will finally resolve the CVE-2024-32896 flaw once and for all. Stay tuned for more updates on this evolving situation!
