CVE-2024-32896 exploited for privilege escalation, addressed in September 2024 security update
Google has addressed a high-severity vulnerability, tracked as CVE-2024-32896, in its Android operating system. The flaw, which has a CVSS score of 7.8, was actively exploited in the wild. CVE-2024-32896 is a privilege escalation vulnerability in the Android Framework component, potentially allowing attackers to elevate privileges without additional execution rights.
The National Vulnerability Database (NVD) advisory explains, “There is a possible bypass due to a logic error in the code. This could lead to local privilege escalation. User interaction is needed for exploitation.”
Google resolved the issue with its September 2024 Android Security Bulletin, stating that the vulnerability may be under limited, targeted exploitation. The flaw had also been identified earlier in June 2024 as affecting Pixel Firmware, where it was used as a zero-day exploit.
While no detailed technical information about the exploitation has been provided, experts from GrapheneOS noted that CVE-2024-32896 stems from partial mitigation of another flaw, CVE-2024-29748. Though these vulnerabilities impact multiple Android devices, the Pixel-specific bootloader mitigation only addressed the issue on Pixel devices. Android 14 QPR3 includes a full fix, allowing wipe-without-reboot functionality, closing the loophole for both vulnerabilities.
