CVE-2024-32896 : there is a possible way to bypass due to a logic error in the code. This could

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Published 2024-06-13 21:15:54

Updated 2024-11-29 16:43:34

Source Google Devices

View at NVD, CVE.org

Products affected by CVE-2024-32896

Google » Android » Version: N/A
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Matching versions

CVE-2024-32896 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Android Pixel Privilege Escalation Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation.

Notes:

https://source.android.com/docs/security/bulletin/pixel/2024-06-01; https://nvd.nist.gov/vuln/detail/CVE-2024-32896

Added on 2024-06-13 Action due date 2024-07-04

Exploit prediction scoring system (EPSS) score for CVE-2024-32896

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 14 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-32896

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2024-06-14
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-32896

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Assigned by: nvd@nist.gov (Primary)
CWE-783 Operator Precedence Logic Error

The product uses an expression in which operator precedence causes incorrect logic to be used.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-32896

https://source.android.com/security/bulletin/pixel/2024-06-01

Pixel Update Bulletin—June 2024 | Android Open Source Project
Vendor Advisory

CVEs referencing this url