Google has rolled out a massive Pixel security update alongside a warning that one of the patched vulnerabilities has already been exploited in the wild.
The zero-day is tagged as CVE-2024-32896 and described as an elevation of privilege issue in Pixel Firmware. The bug carries a high-severity rating.
Google did not share details of the zero-day beyond a single line in the Pixel security bulletin: “There are indications that CVE-2024-32896 may be under limited, targeted exploitation.”
The Pixel security bulletin documents at least 44 Pixel-specific vulnerabilities ranging in severity from critical to high to moderate risk. Google marked seven of the 44 bugs in the critical category.
“We encourage all customers to accept these updates to their devices,” Google said in an advisory that also flags serious vulnerabilities across various mobile device and OS subcomponents.
Among the critical vulnerabilities, multiple elevation of privilege issues were found in components such as LDFW, Goodix, Mali, avcp, and confirmationui; and high-severity remote code execution (RCE) vulnerabilities in CPIF, WLAN, and other components.
The update also includes fixes for a handful of Qualcomm and Qualcomm closed-source components.
Separately, security researchers are calling attention to a severe defect in the Arm Mali GPU Kernel Driver that’s also being marked as actively exploited.
The Arm Mali zero-day is tracked as CVE-2024-4610 and allows improper GPU memory processing operations, according to an Arm advisory that acknowledges in-the-wild zero-day exploitation.
“This issue is fixed in Bifrost and Valhall GPU Kernel Driver r41p0. Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue,” Arm said.
So far this year, there have been 41 documented in-the-wild zero-day attacks. Software code or products from Google account for eight of the 41 zero-days seen to date in 2024.
Related: Patch Tuesday: Remote Code Execution Flaw in Microsoft Message Queuing
Related: Adobe Ships Hefty Batch of Security Patches
Related: PHP Patches Critical Remote Code Execution Vulnerability
Related: Nvidia Patches High-Severity GPU Driver Vulnerabilities
