Google on Monday announced patches for 28 vulnerabilities in Android and 25 other bugs in Pixel devices, including two issues exploited in the wild.
The exploited flaws, tracked as CVE-2024-29745 and CVE-2024-29748, impact Pixel’s bootloader and firmware, Google notes in its advisory.
The internet giant says it has indications that these two security defects “may be under limited, targeted exploitation,” without providing specific details on the observed attacks.
Google has often linked these types of vulnerabilities to commercial spyware vendors.
A total of 24 vulnerabilities leading to elevation of privilege (EoP) and information disclosure were addressed in various Pixel components, and another was resolved in Qualcomm components.
The Pixel update resolves all these bugs, along with the 28 flaws addressed with Android’s April 2024 security patches.
The most severe of these vulnerabilities is CVE-2024-23704, an EoP defect in the System component that affects Android 13 and Android 14.
“The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in its April 2024 Android security bulletin.
The vulnerability was addressed as part of the 2024-04-01 security patch level, which fixes a total of eight high-severity flaws in Framework and System, which could be exploited to escalate privileges, leak information, or cause a denial-of-service condition.
A total of 20 other bugs were fixed in MediaTek, Widevine, and Qualcomm components as part of the second part of the security update, which arrives on devices as the 2024-04-05 security patch level.
“Security patch levels of 2024-04-05 or later address all issues associated with the 2024-04-05 security patch level and all previous patch levels,” Google notes.
On Pixel devices, a security patch level of 2024-04-05 resolves all these security defects.
Security updates were pushed out for Android Automotive OS and Wear OS, resolving all flaws fixed by the 2024-04-05 security patch level, but no additional vulnerabilities.
Related: Android’s March 2024 Update Patches Critical Vulnerabilities
Related: Critical Remote Code Execution Vulnerability Patched in Android
Related: Android’s January 2024 Security Update Patches 58 Vulnerabilities
Related: CISA Warns of Pixel Phone Vulnerability Exploitation