In its November 2024 security update, Google has addressed 51 Android vulnerabilities, including two actively exploited zero-day flaws, CVE-2024-43047 and CVE-2024-43093.
These issues, marked as “exploited in limited, targeted attacks,” involve high-severity privilege escalation vulnerabilities impacting Qualcomm components and the Android Framework.
The CVE-2024-43047 flaw, identified in Qualcomm’s Digital Signal Processor (DSP) service, allows privilege escalation via a use-after-free bug in Android’s closed-source kernel components. This vulnerability was first reported in early October by Qualcomm. Researchers from Amnesty International have been linked to the discovery, indicating its potential use in spyware operations.
CVE-2024-43093 affects Android’s Framework component and Google Play system updates, specifically targeting the Documents UI. Google has not disclosed details on how this flaw was exploited or its discovery source.
In addition to these two zero-day fixes, the November patch includes a critical fix, CVE-2024-38408, for Qualcomm’s proprietary components, among other vulnerabilities. Google’s update is split into two patch levels, November 1 and November 5, covering core Android issues and vendor-specific fixes.
These updates apply to Android 12 through 15, while Android 11 and older versions remain unsupported for regular updates, with some critical patches available through Google Play system updates. To install the latest updates, users can go to Settings > System > Software updates > System update or Settings > Security & privacy > System & updates > Security update. Restarting the device is required to complete the update.
For older devices, Google recommends upgrading to supported models or using third-party Android distributions that maintain security patches.
