Google has launched a large-scale Pixel security update and warned that one of the patched vulnerabilities has already been exploited. The zero-day vulnerability, identified as CVE-2024-32896, is described as a privilege escalation issue in Pixel firmware, and its severity level is classified as high.
Google did not share detailed information about the zero-day vulnerability in the Pixel Security Bulletin, apart from stating: “There are indications that CVE-2024-32896 may be under limited, targeted exploitation.”
The Pixel Security Bulletin documented at least 44 Pixel-specific vulnerabilities, ranging from critical to high to medium risk levels. Google categorized 7 of the 44 vulnerabilities as critical.
In an announcement, Google stated, “We encourage all customers to accept these updates on their devices.” The announcement also highlighted various severe vulnerabilities present in mobile devices and operating system sub-components.
Among the high-risk vulnerabilities, multiple privilege escalation issues were found in components such as LDFW, Goodix, Mali, avcp, and confirmationui. High-risk remote code execution (RCE) vulnerabilities were discovered in components like CPIF, WLAN, and others.
The update also includes fixes for a few Qualcomm and Qualcomm closed-source components.
Additionally, security researchers drew attention to a critical flaw in the Arm Mali GPU kernel driver, which has also been flagged as actively exploited.
Acknowledging the zero-day vulnerability exploitation, Arm identified the Mali zero-day vulnerability as CVE-2024-4610, which allows improper GPU memory handling operations. This issue has been fixed in the Bifrost and Valhall GPU kernel driver r41p0. Users affected by this issue are advised to upgrade.