Cyber Resilience

CVE-2024-32896

HighCISA KEVActive ExploitationEUVD Exploited

Published: 13 June 2024

Published
13 June 2024
Modified
24 October 2025
KEV Added
13 June 2024
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.1th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32896 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 41.1th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-32896 is a logic error that permits a bypass in affected code, enabling local privilege escalation on Android devices. The flaw is tracked under CWEs 670 and 783 and carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, no privileges required, and required user interaction. It is addressed in the June 2024 Pixel security bulletin and impacts Pixel devices running vulnerable builds of Android.

An attacker with the ability to supply malicious input on the same device can exploit the flaw to elevate privileges and obtain full control over confidentiality, integrity, and availability of the system. No additional execution privileges are needed beyond the initial local access, though user interaction is required to trigger the bypass.

The referenced Android security bulletin and CISA Known Exploited Vulnerabilities catalog indicate that patches have been issued and that the vulnerability has seen active exploitation in the wild. The current EPSS score of 0.0019 remains low.

EU & UK References

Vulnerability details

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CWE(s)
KEV Date Added
13 June 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the logic-error bypass of security controls that enables unauthorized local privilege escalation.

prevent

Requires prompt remediation of the identified code flaw, matching the June 2024 Pixel security update that resolves CVE-2024-32896.

prevent

Limits the scope of privileges an attacker can obtain after exploiting the local bypass, reducing confidentiality/integrity/availability impact.

References