This week, Google announced a comprehensive update to the Android operating system, addressing a total of 26 vulnerabilities, among them a particularly severe flaw in the System component. The flaw, identified as CVE-2024-23706 and affecting Android 14, allows attackers to escalate their privileges on devices running the vulnerable version. Highlighted as the most critical in this batch, the vulnerability could enable unauthorized privilege escalation without needing additional permissions, posing a significant risk to affected devices.
The security patches were included in two major updates for the month. The first, dated 2024-05-01, resolved eight vulnerabilities, including four elevation of privilege (EoP) bugs in the Framework component and three EoP issues plus one information disclosure defect in the System component. The second patch, dated 2024-05-05, included fixes for 18 additional vulnerabilities affecting various components such as the kernel, and hardware-specific issues related to Arm, MediaTek, and Qualcomm, also updating kernel LTS versions to enhance device security further.
In addition to the Android updates, Google also rolled out security patches for Pixel devices, which addressed seven more vulnerabilities affecting the Bluetooth component, the Mali GPU driver, and five Qualcomm components. These updates ensure that Pixel devices running the security patch level of May 5 are safeguarded against the vulnerabilities outlined in Android’s May 2024 security bulletin, maintaining a strong defense against potential security breaches.
Google also announced updates for Wear OS, which included a fix for a critical-severity flaw in the Framework component. This vulnerability similarly allows for local escalation of privilege by malicious apps without needing additional execution privileges. These updates are part of a broader effort to secure various Google-operated systems, including Android Automotive OS and Pixel Watch, underlining Google’s commitment to protecting users across all its platforms against emerging security threats.
