CVE-2024-32896
Published: 13 June 2024
Summary
CVE-2024-32896 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 41.1th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-32896 is a logic error that permits a bypass in affected code, enabling local privilege escalation on Android devices. The flaw is tracked under CWEs 670 and 783 and carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, no privileges required, and required user interaction. It is addressed in the June 2024 Pixel security bulletin and impacts Pixel devices running vulnerable builds of Android.
An attacker with the ability to supply malicious input on the same device can exploit the flaw to elevate privileges and obtain full control over confidentiality, integrity, and availability of the system. No additional execution privileges are needed beyond the initial local access, though user interaction is required to trigger the bypass.
The referenced Android security bulletin and CISA Known Exploited Vulnerabilities catalog indicate that patches have been issued and that the vulnerability has seen active exploitation in the wild. The current EPSS score of 0.0019 remains low.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30666
Vulnerability details
there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
- CWE(s)
- KEV Date Added
- 13 June 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the logic-error bypass of security controls that enables unauthorized local privilege escalation.
Requires prompt remediation of the identified code flaw, matching the June 2024 Pixel security update that resolves CVE-2024-32896.
Limits the scope of privileges an attacker can obtain after exploiting the local bypass, reducing confidentiality/integrity/availability impact.