Google has fixed 62 vulnerabilities, including at least 2 zero-days, in the latest security update. These zero-days were used by Serbian authorities to target student activists with Cellebrite.
Of these now fixed 62 vulnerabilities, the majority of them are high-severity elevation of privilege flaws while two are zero-day flaws that are much easier for hackers to exploit in their attacks.
The first zero-day (tracked as CVE-2024-43197) is a high-severity privilege escalation flaw in the Linux kernel’s USB-audio driver for ALSA devices. It was reportedly exploited by authorities in Serbia to unlock confiscated Android devices using a zero-day exploit chain created by an Israeli digital forensics company called Cellebrite.
The second zero-day (tracked as CVE-2024-53150) is an Android Kernel information disclosure vulnerability that’s caused by an out-of-bound read weakness. If exploited, it can allow local attackers with access to your phone to access sensitive information without any user interaction.
These vulnerabilities were mostly benign on devices with Graphene OS installed. In fact, they have been patched for quite some time now.
Such fixes were only brought to android devices just now; however, most devices will receive updates later than the stock Pixel.