Table of contents
Executive Summary
This month's Android security updates address 46 vulnerabilities, including a critical remote code execution (RCE) vulnerability actively exploited in targeted assaults.
The vulnerability in question, identified as CVE-2024-36971, is a "use after free" (UAF) issue in the Linux kernel's network route management that can alter network behaviors. This vulnerability demands System execution privileges for successful exploitation, enabling unauthorized code execution without user interaction on devices that have not been updated.
Google has observed signs of limited, targeted attacks exploiting CVE-2024-36971, according to their Threat Analysis Group (TAG). The vulnerability was first reported by Google TAG's security researcher, Clément Lecigne.
Details on the exploitation methods and the identity of the attackers remain undisclosed, but Google's TAG often uncovers zero-days exploited by state-backed actors to surveil high-value targets.
The advisory notes that code patches for these vulnerabilities will be added to the Android Open Source Project (AOSP) repository within 48 hours.
Google previously addressed another zero-day earlier this year—an elevation of privilege (EoP) issue within Pixel firmware, identified as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS, who discovered the flaw. This vulnerability was used by forensic firms to bypass device locks and access data on Android devices.
Google has issued two sets of patches in their August security updates: the 2024-08-01 and 2024-08-05 levels. The latter encompasses all fixes from the earlier set along with extra patches for third-party, closed-source components, including a significant flaw (CVE-2024-23350) in a Qualcomm component.
It should be noted that not all Android devices will require the patches included in the 2024-08-05 update. Manufacturers might opt to roll out the initial patch level first to simplify the update process, although this doesn't necessarily imply a heightened risk of exploitation.
While Google Pixel devices promptly receive monthly updates, other brands might delay their rollout for additional testing to ensure the patches are compatible with different hardware configurations.
References
https://source.android.com/docs/security/bulletin/2024-08-01#Android-and-Google-service-mitigations