Google fixed a critical vulnerability in the Android Framework during the July patch period. CVE-2024-3132 allowed apps and local users to increase their privileges without additional permissions.
This is a security vulnerability that allows escalation of privileges (EoP). These are not usually given critical status, but this one got it because of the severity of the potential impact. However, Google makes no further statements about their motivations in its security bulletin.
Second critical EoP vulnerability in a short time
Google has released updates for the critical vulnerability in the Android Framework for Android 12 and 12L only. Back in May, Google also patched a similar critical EoP vulnerability. However, that one was located in the System Component and not the Android Framework, affecting Android 14.
During this patch, 29 other vulnerabilities were found. The remaining updates are for all Android versions from 12 through 14 or subcomponents and have been given the collective designation ‘2024-07-01’ or ‘2024-07-05’. Manufacturers are required to include these updates in their own patches to protect users.
Vulnerabilities in components
The source code patches are located in the Android Open Source Project (AOSP) repository and linked to the security bulletin. This also contains links to patches outside the AOSP. As always, chipmakers MediaTek and Qualcomm have also reported component vulnerabilities.
Android manufacturers were notified of the vulnerabilities at least a month ago to give them time to develop updates. However, this does not guarantee that all devices will receive these updates, as some devices are no longer supported or will not be updated until later.
Also read: Google patches critical Android vulnerability for devices with Qualcomm chipsets