Google patched 46 bugs affecting its Android operating system in its August 2024 security update, including a high-severity kernel flaw suspected to be under active exploitation.
The 2024-08-01 and 2024-08-05 patch level vulnerabilities disclosed Monday include 13 high-severity framework vulnerabilities, one high-severity system vulnerability, 31 vulnerabilities in components from Arm, Imagination Technologies, MediaTek and Qualcomm, and one kernel vulnerability tracked as CVE-2024-36971.
CVE-2024-36971, a Linux kernel flaw first published in June, has a high CVSS score of 7.8 and can lead to a use-after-free error, in which the system attempts to use data that has already been cleared from memory.
Because the Android kernel is based on the Linux kernel, it was necessary for Google to patch its mobile operating system to resolve the flaw, which could be exploited to perform remote code execution, according to the Android security bulletin.
Google disclosed that CVE-2024-36971 “may be under limited, targeted exploitation” in the wild.
Other severe vulnerabilities included in the latest monthly updated are 11 framework vulnerabilities leading to escalation of privileges and a Qualcomm vulnerability considered to be critical by Google due to its potential impact on Android devices.
This Qualcomm flaw, tracked as CVE-2024-23350, can lead to a permanent denial-of-service (DoS) if a specific combination of network message payloads are received by the device.
How to patch CVE-2024-36971 and other Android flaws
Google rolled out updates to Android versions 12, 12L, 13 and 14 to address the flaws, but patch availability also depends on the device manufacturer. Android device manufacturers are informed of security flaws at least a month prior to their publication, giving them time to apply fixes to their specific hardware.
Users of Android devices can check and update their Android version following instructions provided by Google. More specific update information is available from Google for users of Pixel phones and tablets; users of other devices should check their device manufacturer’s website or contact the manufacturer for more information.
Google publishes the Android security bulletin monthly; last month, the company fixed a total of 29 Android bugs.
