Google warns Samsung Galaxy phone owners about unpatched vulnerability

Last month we told you how the U.S. government ordered all federal employees using a Pixel handset to install the latest security update before July 4th or stop using the device. That order came from the Known Exploited Vulnerabilities (KEV) listings that are managed by CISA (Cybersecurity and Infrastructure Security Agency). Apparently CVE-2024-32896 "may be under limited, targeted exploitation."

Exploiting the CVE-2024-32896 vulnerability could allow an attacker to have privilege escalation. Privilege escalation would allow an attacker to use an app to access and capture data that normally would not be available to the bad actor. It could also allow the attacker to take unauthorized actions that are typically reserved for users with higher privileges. As you can see, this is a serious problem and as a zero-day exploit, no patch or fix was available at the time the issue was discovered.

Google has announced that CVE-2024-32896 not only affects Pixel devices, but is a security flaw on Samsung Galaxy devices and all other Android phones. While Samsung already released the July security update for its Galaxy phones, the update did not include a patch for the vulnerability. Pixel devices have had this vulnerability patched while Galaxy and other Android models have not fixed the issue.

Google did add that "additional exploits would be needed to compromise a device," which really isn't something to make you relax because GrapheneOS says, "There are two vulnerabilities being addressed. Neither issue is being fixed outside Pixels yet."

Google did admit that this flaw was not yet patched outside of Pixel devices and the company told Forbes, "Android security is aware of this issue, and after further review, this issue does impact Android platform… Pixel devices that have installed the latest security update are protected… we are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available."

Samsung's July security update does patch three critical Qualcomm vulnerabilities that were fixed for Pixel handsets in June leaving Samsung late once again. Samsung has already informed the public that component patches like the ones for the Qualcomm flaws take longer to disseminate than software and firmware fixes, but once again Pixel users had their phones secured first.

One of the updates in Samsung's July security update  did fix a current vulnerability, CVE-2024-31320, which Google warns "could lead to local escalation of privilege with no additional execution privileges needed." Hopefully, next month's Samsung security update for August will finally patch the CVE-2024-32896 flaw.