Today, Google rolled out an Android security update aimed at addressing 46 security vulnerabilities, one of which includes a zero-day vulnerability.
A zero-day vulnerability is a previously unknown security flaw in software, hardware, or firmware that malicious actors exploit before the vendor can identify and patch it. The term "zero-day" refers to the time the vendor has to prepare a fix—zero days—because the vulnerability has already been discovered or exploited.
Zero-Day Vulnerability Details
The zero-day vulnerability in question is a use-after-free type, identified as CVE-2024-36971. It is located in the Linux kernel used by Android for network routing management. Exploiting this flaw requires system-level execution privileges. However, Google's security bulletin indicates that this vulnerability may be subject to limited, targeted attacks.
If successfully exploited, this vulnerability allows attackers to execute arbitrary code on unpatched devices without user interaction. Clément Lecigne, a security researcher at Google's Threat Analysis Group (TAG), discovered the zero-day vulnerability.
Patching and Updates
For security reasons, Google has not disclosed specific details about the vulnerability to give Android users time to update their devices. To address all 46 vulnerabilities, Google released two sets of patches in the August security update, designated as 2024-08-01 and 2024-08-05.
The second batch of patches includes fixes for third-party closed-source components and kernel components in addition to the fixes in the first batch. Users are strongly advised to install these patches as soon as they become available. While Google's Pixel devices receive updates promptly, other manufacturers may take longer to release the updates for their respective models.