⚠ Actively exploited
Added to CISA KEV on 2024-06-13. Federal agencies required to patch by 2024-07-04. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-32896Always-Incorrect Control Flow Implementation in Build Soong

CWE-670Always-Incorrect Control Flow ImplementationCWE-783Operator Precedence Logic Error8 documents7 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 60.48%
CISA KEV
KEV
Added 2024-06-13
Due 2024-07-04
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Platform Build SoongPlatform Frameworks BasePlatform Hardware Interfaces+2 more
Timeline
PublishedJun 13
KEV addedJun 13
KEV dueJul 4
Latest updateSep 1
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

Androidplatform/build_soong14-next:014-next:2024-06-05+1
Androidplatform/frameworks_base14-next:014-next:2024-06-05+6
Androidplatform/system_sepolicy14-next:014-next:2024-06-05+6
Androidplatform/hardware_interfaces14-next:014-next:2024-06-05+1
CVEListV5google/androidAndroid kernel

🔴Vulnerability Details

5
OSV
CVE-2024-32896: In rebootRecoveryWithCommand of RecoverySystemService2024-09-01
GHSA
GHSA-qxgm-2hhj-rw7f: there is a possible way to bypass due to a logic error in the code2024-06-13
CVEList
CVE-2024-32896: there is a possible way to bypass due to a logic error in the code2024-06-13
OSV
CVE-2024-32896: there is a possible way to bypass due to a logic error in the code2024-06-01
VulnCheck
Android Pixel Privilege Escalation Vulnerability2024

📋Vendor Advisories

2
Android
CVE-2024-32896: Android Security Bulletin 2024-09-01 CVE: CVE-2024-32896 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L, 13, 14 References: A-324321147 [2]2024-09-01
CISA
Android Pixel Privilege Escalation Vulnerability2024-06-13
CVE-2024-32896 — Platform Build Soong vulnerability | cvebase