This month, Android’s security updates address 46 vulnerabilities, including a high-severity remote code execution (RCE) flaw exploited in targeted attacks.
The critical zero-day vulnerability, CVE-2024-36971, is a use-after-free (UAF) issue in the Linux kernel’s network route management. It necessitates System execution privileges, allowing attackers to modify network connections’ behavior.
Google has noted signs of CVE-2024-36971 being used in limited, targeted exploitation, enabling arbitrary code execution on unpatched devices without user interaction. Clément Lecigne from Google’s Threat Analysis Group (TAG) discovered and reported this zero-day. While details on exploitation methods and responsible threat actors remain undisclosed, Google TAG often identifies zero-days used in state-sponsored surveillance.
Source code patches will be available in the Android Open Source Project (AOSP) repository within 48 hours. Additionally, two patch sets for August, the 2024-08-01 and 2024-08-05 security levels, have been released. The latter includes fixes for third-party closed-source and Kernel components, such as a critical Qualcomm vulnerability (CVE-2024-23350).
Google Pixel devices receive monthly updates immediately, but other manufacturers may delay patch rollouts for additional compatibility testing. This delay does not necessarily increase the risk of exploitation.
