Critical Security Vulnerability CVE-2024-32896 Requires Immediate Hotfix

[ahjolinna]

Description:

Google's July security update has addressed critical vulnerabilities in Pixel devices, specifically CVE-2024-32896, which remains unpatched in many other Android devices. This vulnerability is severe enough to have prompted a U.S. government warning, urging federal employees to update their Pixel devices by July 4. This vulnerability remains unpatched on non-Pixel Android devices.

Impact:

• Non-Pixel Android devices are exposed to severe security risks due to the unpatched vulnerabilities.
• The delay in addressing these critical issues highlights a significant security gap within the Android ecosystem.

Current Status:

• Google has promptly addressed these vulnerabilities in their Pixel devices.
• Non-Pixel devices, including those from other major manufacturers, have not yet received these critical patches.

Recommended Actions:

1. Immediate Attention: Review the status of CVE-2024-32896 on Xperia devices.
2. Prioritize Fixes: Expedite the development and deployment of patches for these vulnerabilities across all affected devices.
3. Enhance Coordination: Improve the coordination and speed of rolling out critical security updates to prevent such delays in the future.

References:

• U.S. Government Warning on CVE-2024-32896

• https://www.forbes.com/sites/zakdoffman/2024/07/03/samsung-s24-ultra-s23-free-update-warning-for-galaxy-android-users/

• https://discuss.grapheneos.org/d/13494-cve-2024-32896-wipe-without-reboot-added-to-aosp-due-to-reports-by-grapheneos

[MartinX3]

You sent it to the Sony company, too? (Because this repo is about SODP and not stock)

And doesn't this mean it is part of the june security patch month? https://source.android.com/docs/security/bulletin/pixel/2024-06-01

[ahjolinna]

You sent it to the Sony company, too? (Because this repo is about SODP and not stock)

Yes, I did send an email to Sony about the vulnerability.

And doesn't this mean it is part of the june security patch month? https://source.android.com/docs/security/bulletin/pixel/2024-06-01

For some reason, the fix in the June security patch was only applied to Pixel devices. According to a Forbes article, even the July security update will not include the fix.

[MartinX3]

@ahjolinna if it's not in the official aosp source code that's bad. (We get the tags to build sodp from here https://source.android.com/docs/setup/reference/build-numbers#source-code-tags-and-builds)