Google releases December 2024 Android update, fixes multiple high severity flaws

Google has released its Android Security Bulletin for December 2024, detailing several critical security vulnerabilities affecting Android devices. The bulletin, published on December 2, 2024, introduces patches for two security patch levels: 2024-12-01 and 2024-12-05.

Framework Vulnerabilities (2024-12-01 patch level):

• CVE-2024-43762 (High Severity, CVSS score not assigned) - Elevation of Privilege (EoP)
  • Affects: Android 12, 12L, 13, 14, 15
• CVE-2024-43764 (High Severity, CVSS score not assigned) - Elevation of Privilege (EoP)
  • Affects: Android 13, 14
• CVE-2024-43769 (High Severity, CVSS score not assigned) - Elevation of Privilege (EoP)
  • Affects: Android 13, 14, 15

System Component Vulnerabilities (2024-12-01 patch level):

• CVE-2024-43767 (High Severity, CVSS score not assigned) - Remote Code Execution (RCE), most dangerous vulnerability in this update
  • Affects: Android 12, 12L, 13, 14, 15
• CVE-2024-43097 (High Severity, CVSS score not assigned) - Elevation of Privilege (EoP)
  • Affects: Android 12, 12L, 13, 14, 15
• CVE-2024-43768 (High Severity, CVSS score not assigned) - Elevation of Privilege (EoP)
  • Affects: Android 12, 12L, 13, 14, 15

Vendor-Specific Vulnerabilities (2024-12-05 patch level):

1. Imagination Technologies:
   • Two high-severity vulnerabilities affecting PowerVR-GPU (CVE-2024-43077, CVE-2024-43701)
2. MediaTek:
   • One high-severity vulnerability in video decoder component (CVE-2024-20125)
3. Qualcomm:
   • One high-severity vulnerability in WLAN component (CVE-2024-33063)
   • Four high-severity vulnerabilities in closed-source components (CVE-2024-33044, CVE-2024-33056, CVE-2024-43048, CVE-2024-43052)

All security patches have been released to the Android Open Source Project (AOSP) repository, and Android partners were notified of these issues at least a month before publication.