What is included in the October 2024 Android security update?

The October 2024 Android security update addresses 26 high-severity vulnerabilities, including flaws in the Framework, System, and components from Imagination Technologies, MediaTek, and Qualcomm. It is released in two parts, targeting general and device-specific issues.

What vulnerabilities are addressed in the 2024-10-01 security patch level?

The 2024-10-01 security patch level addresses vulnerabilities in the Framework and System components. Key issues include CVE-2024-0044 (local escalation of privilege), CVE-2024-40676 (EoP), CVE-2024-40675 (DoS), and CVE-2024-40673 (remote code execution). These affect Android versions 12, 12L, 13, 14, and 15.

What vulnerabilities are addressed in the 2024-10-05 security patch level?

The 2024-10-05 security patch level addresses 19 vulnerabilities in components from Imagination Technologies, MediaTek, and Qualcomm. These include vulnerabilities affecting graphics, connectivity, and display components, such as CVE-2024-34732, CVE-2024-20100 (MediaTek wlan), and CVE-2024-33049 (Qualcomm WLAN).

What is the most severe vulnerability in the October 2024 Android update?

The most severe vulnerability is a high-severity remote code execution (RCE) flaw in the System component, identified as CVE-2024-40673. This vulnerability can be exploited without additional execution privileges and affects Android 12, 12L, 13, and 14.

What versions of Android are affected by the October 2024 update vulnerabilities?

The vulnerabilities addressed in the October 2024 security update affect Android 12, 12L, 13, 14, and 15. The update applies to all devices with a security patch level of 2024-10-05 or later.

How should users proceed with the October 2024 Android security update?

Users are advised to update their devices to the latest security patch level as soon as possible to ensure protection against the addressed vulnerabilities. This includes installing updates for devices with the 2024-10-01 and 2024-10-05 patch levels.

Advisory

Google releases October 2024 Android patches, fixes 26 flaws

published: Oct. 8, 2024

Take action: No critical or actively exploited flaws in this release, but a lot of high severity that attackers can find ways to exploit. It's wise to apply the Android patch as soon as your vendor releases an update for your phone. Depending on the vendor you might wait for some weeks/months before the update is released for your phone.

Learn More

Google has released the October 2024 Android security update, addressing 26 high-severity vulnerabilities across various components of the operating system. The update is distributed in two parts to give device manufacturers flexibility in applying the fixes, targeting both broader and device-specific issues.

2024-10-01 Security Patch Level:

The first part of the update includes fixes for vulnerabilities in the Framework and System components:

Framework: Three vulnerabilities were patched, including those that could lead to local escalation of privilege (EoP) and denial-of-service (DoS).
- CVE-2024-0044 (EoP) - Affects Android 12, 12L, 13, 14, 15.
- CVE-2024-40676 (EoP) - Affects Android 12, 12L, 13, 14, 15.
- CVE-2024-40675 (DoS) - Affects Android 12, 12L, 13, 14.
System: Four vulnerabilities were addressed, with the most critical being a remote code execution (RCE) flaw that does not require additional execution privileges.
- CVE-2024-40673 (RCE) - Affects Android 12, 12L, 13, 14.
- CVE-2024-40672 (EoP) - Affects Android 12, 12L, 13, 14.
- CVE-2024-40677 (EoP) - Affects Android 12, 12L, 13, 14, 15.
- CVE-2024-40674 (DoS) - Affects Android 14.

2024-10-05 Security Patch Level:

The second part of the update, corresponding to the 2024-10-05 security patch level, addresses 19 vulnerabilities affecting components developed by Imagination Technologies, MediaTek, and Qualcomm. These vulnerabilities involve graphics, connectivity, and display subcomponents, including:

Imagination Technologies PowerVR-GPU:
- CVE-2024-34732, CVE-2024-34733, CVE-2024-34748, CVE-2024-40649, CVE-2024-40651, CVE-2024-40669, CVE-2024-40670 - All assessed as high severity.
MediaTek Components:
- CVE-2024-20100, CVE-2024-20101, CVE-2024-20103 (wlan vulnerabilities).
- CVE-2024-20090, CVE-2024-20092, CVE-2024-20091, CVE-2024-20093 (vdec vulnerabilities).
- CVE-2024-20094 (Modem vulnerability) - All assessed as high severity.
Qualcomm Components:
- CVE-2024-33049, CVE-2024-33069 (WLAN vulnerabilities).
- CVE-2024-38399 (Display vulnerability).
- CVE-2024-23369 (Closed-source component) - All assessed as high severity.

The most severe issue, a high-severity RCE flaw in the System component, could be exploited without additional execution privileges. Google’s advisory emphasizes that while no active exploits of these vulnerabilities have been reported, it is crucial for users to update their devices promptly.

All devices with a security patch level of 2024-10-05 or later include fixes for the vulnerabilities in both update parts.

Google releases October 2024 Android patches, fixes 26 flaws

Read More
Paragon's Graphite Spyware targets European journalists through iPhone …
Adobe releases January 2025 patches for multiple products
NAS vendor QNAP warns of critical vulnerabilities in …
Instagram API exposure leaks 17.5 million user records
WhatsApp for Windows does not block execution when …