Which vulnerabilities affect the System and Kernel components in the September 2024 Android Security Bulletin?

The System and Kernel vulnerabilities include CVE-2024-40650 to CVE-2024-40657 (High Severity), CVE-2024-40659 (Denial of Service in Android 14), and CVE-2024-36972 (EoP affecting the Net subcomponent in the Linux Kernel).

Which hardware components are affected by vulnerabilities in the September 2024 Android Security Bulletin?

Affected hardware components include the Mali subcomponent in ARM (CVE-2024-3655), the PowerVR-GPU in Imagination Technologies (CVE-2024-23716 and CVE-2024-31336), and the modem in Unisoc components (CVE-2024-39431 and CVE-2024-39432).

What vulnerabilities affect Qualcomm components in the September 2024 Android Security Bulletin?

Qualcomm components are affected by critical vulnerabilities CVE-2024-33042 and CVE-2024-33052 in the WLAN component and several high-severity vulnerabilities affecting subcomponents like Display, Camera, Bootloader, and Kernel.

Advisory

Google releases September 2024 patches, at least one exploited flaw

Q: What is the Android Security Bulletin for September 2024?

The Android Security Bulletin for September 2024 details several vulnerabilities affecting various components of the Android operating system. Security patches dated 2024-09-05 or later address all identified issues, and Android partners were informed of these vulnerabilities at least one month before publication.

Q: What are the most severe vulnerabilities in the September 2024 Android Security Bulletin?

The most severe vulnerabilities are in the Framework component, which could lead to local escalation of privilege (EoP) without needing additional execution privileges: CVE-2024-32896, CVE-2024-40658, and CVE-2024-40662, all rated as high severity and affecting Android versions 12, 12L, 13, and 14.

Q: What should Android users do to protect against these vulnerabilities?

All Android users are strongly advised to update to the latest Android version available for their device to ensure protection against these vulnerabilities.

published: Sept. 3, 2024

Take action: One exploited flaw and one critical in Quallcom chips. It's wise to apply the Android patch as soon as your vendor releases an update for your phone. Depending on the vendor you might wait for some weeks/months before the update is released for your phone.

Learn More

Google has released the Android Security Bulletin for September 2024, detailing several vulnerabilities affecting various components of the Android operating system. Security patches dated 2024-09-05 or later address all identified issues. Android partners were informed of these vulnerabilities at least one month before publication. Source code patches for these issues will be made available in the Android Open Source Project (AOSP) repository within 48 hours.

Summary of vulnerabilities

The most severe vulnerabilities in the Framework component could lead to local escalation of privilege (EoP) without needing additional execution privileges:

CVE-2024-32896 (High Severity) - EoP in Android versions 12, 12L, 13, and 14. There are indications that this flaw is under limited, targeted exploitation.
CVE-2024-40658 (High Severity) - EoP in Android versions 12, 12L, 13, and 14.
CVE-2024-40662 (High Severity) - EoP in Android versions 12, 12L, 13, and 14.

The following vulnerabilities in the System and Kernel components could also result in local EoP:

CVE-2024-40650 to CVE-2024-40657 (High Severity) - Affect Android versions 12, 12L, 13, and 14.
CVE-2024-40659 (High Severity) - Denial of Service (DoS) in Android version 14.
CVE-2024-36972 (High Severity) - EoP affecting the Net subcomponent in the Linux Kernel.

These vulnerabilities affect specific hardware components:

CVE-2024-3655 (High Severity) - Affects the Mali subcomponent in ARM.
CVE-2024-23716 and CVE-2024-31336 (High Severity) - Affect the PowerVR-GPU in Imagination Technologies.
CVE-2024-39431 and CVE-2024-39432 (High Severity) - Affect the modem in Unisoc components.

Several critical and high-severity vulnerabilities affect Qualcomm components:

Critical Severity Vulnerabilities:
- CVE-2024-33042 and CVE-2024-33052 - Affect the WLAN component.
High Severity Vulnerabilities:
- Affect multiple subcomponents, including Display, Camera, Bootloader, and Kernel.

All users are strongly advised to update to the latest Android version available for their device to ensure protection against these vulnerabilities. More information can be found in the original Android Security Bulletin—September 2024.

Google releases September 2024 patches, at least one exploited flaw

Read More
Google releases update for Chrome and Chromium browsers, …
Apple Patches Over 140 Vulnerabilities Across macOS, iOS, …
Microsoft Outlook Zero-Click vulnerability can be attacked by …
Adobe releases January 2025 patches for multiple products
Microsoft Patches multiple remote execution flaws, five critical …