Google has issued a security update that fixes seven critical vulnerabilities in its Pixel smartphone lineup. One of these flaws, labelled CVE-2024-32896, is a privilege escalation flaw that the search giant reports have already been exploited as a zero-day. The vulnerabilities affect the entire lineup of Pixel devices currently supported by the company, including Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.
The fix came from the company’s June 2024 security update. It addresses 50 security vulnerabilities, including seven critical vulnerabilities affecting various device subcomponents and five vulnerabilities affecting Qualcomm components. The Qualcomm vulnerabilities affect the WiFi and audio onboard Pixel devices, in addition to a closed-source component.

In typical Google fashion, the company hasn’t revealed any details except the CVE IDs of the vulnerabilities that were discovered. Outside of CVE-2024-32896, which is reportedly actively exploited as a zero-day, the other critical vulnerabilities include the following:
- CVE-2024-32891
- CVE-2024-32892
- CVE-2024-32899
- CVE-2024-32906
- CVE-2024-32908
- CVE-2024-32909
- CVE-2024-32922
All the aforementioned critical-level vulnerabilities are privilege escalation bugs that allow attackers to compromise the device and then elevate their permissions, gaining admin access to the targeted device. The update also includes 24 high-rated vulnerabilities, a mix of privilege escalation, information disclosure, and remote code execution bugs. If exploited, any of these vulnerabilities can result in a device takeover.
It’s important to note that while these vulnerabilities are fixed under the June 2024 security updates, they differ from those described in the June 2024 Android Security bulletin. That’s because vulnerabilities covered under the June 2024 Android Security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as the ones described above, are exempt from this rule.
In the News: 5 Arid Viper campaigns target Palestine and Egypt via malicious apps