In August, Google released a substantial security update for Android, addressing 46 vulnerabilities, including a critical Linux kernel flaw identified as CVE-2024-36971. This use-after-free vulnerability within the networking stack has been assigned a high-severity CVSS score of 7.8. Successful exploitation of this flaw could result in remote code execution with system-level privileges, allowing attackers to gain complete control of affected devices. Google has noted signs of limited, targeted exploitation of this flaw, emphasising the importance of prompt updates to protect against potential attacks.

The vulnerability, discovered and reported by Google’s Threat Analysis Group (TAG), is significant due to its potential for exploitation by spyware and surveillance tools. TAG, known for tracking state-sponsored actors and commercial surveillance vendors, has previously uncovered numerous zero-day vulnerabilities, many of which have been exploited by commercial entities. The fact that CVE-2024-36971 might already be in use by spyware highlights the urgency of applying this patch to secure Android devices.

Additionally, Qualcomm has addressed a critical flaw in its closed-source multi-mode call processor, tracked as CVE-2024-23350, which could lead to a permanent denial of service. Google’s update also includes fixes for 11 high-severity elevation-of-privilege vulnerabilities in the Android Framework component. These vulnerabilities could be exploited by attackers to gain higher privileges on a device without requiring additional execution permissions.

Google's August patch cycle includes two separate updates: the 2024-08-01 patch for Android-specific vulnerabilities and the 2024-08-05 patch which consolidates earlier fixes with additional patches for kernel and third-party components from vendors such as Arm, MediaTek, and Qualcomm. The updates from Qualcomm address the aforementioned permanent denial of service flaw, among other issues. This patching cycle sets the stage for Microsoft’s upcoming August Patch Tuesday, which will introduce further fixes for additional vulnerabilities.

Source and further reading.

Lyons, J. (2024, August 6). Google splats device-hijacking exploited-in-the-wild android kernel bug among others. • The Register. https://www.theregister.com/AMP/2024/08/06/google_fixes_linux_kernal_rce