Google this week announced a fresh batch of security updates for Android, to address a total of 26 vulnerabilities, including a critical-severity flaw in the System component.
The bug, tracked as CVE-2024-23706 and impacting Android 14, could allow attackers to escalate their privileges on vulnerable devices, Google notes in its advisory.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” the internet giant says.
The vulnerability was resolved as part of the 2024-05-01 security patch level, which addresses eight flaws, including four elevation of privilege (EoP) bugs in the Framework component, and three EoP issues and one information disclosure defect in the System component.
Patches for 18 other vulnerabilities in kernel, Arm, MediaTek, and Qualcomm components were included in the second part of this month’s Android update, which arrives on devices as the 2024-05-05 security patch level and which also includes updated kernel LTS versions.
On Tuesday, Google also announced fresh security updates for Pixel devices, to resolve seven additional vulnerabilities impacting the Bluetooth component, the Mali GPU driver, and five Qualcomm components.
Pixel devices running a security patch level of May 5 contain patches against all these flaws, and the vulnerabilities detailed in Android’s May 2024 security bulletin.
Additionally, Google announced security updates that resolve four Wear OS-specific vulnerabilities, including a critical-severity flaw in the Framework component.
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege by a malicious app with no additional execution privileges needed,” Google notes.
The full Wear OS update also fixes the flaws detailed in Android’s May 2024 security bulletin, which are being addressed via Android Automotive OS and Pixel Watch updates as well.
Google makes no mention of any of these vulnerabilities being exploited in the wild.
Related: Google Patches Exploited Pixel Vulnerabilities
Related: Android’s March 2024 Update Patches Critical Vulnerabilities
Related: Critical Remote Code Execution Vulnerability Patched in Android
