CVE-2024-43047 & CVE-2024-43093: Android Zero-Days Demand Immediate Patching

by do son · November 4, 2024

In its November 2024 security update, Google has addressed 40 security vulnerabilities in the Android operating system, two of which are flagged as actively exploited: CVE-2024-43047 and CVE-2024-43093. Google’s bulletin provides limited details regarding the nature and extent of the exploitation, stating only that “there are indications that the following may be under limited, targeted exploitation.”

Of particular concern is CVE-2024-43047, a high-severity vulnerability (CVSS 7.8) residing in the Qualcomm Digital Signal Processor (DSP) service. This zero-day flaw, discovered by researchers from Google Project Zero, Amnesty International’s Security Lab, and independent security researcher Conghui Wang, impacts numerous Qualcomm chipsets. Exploitation of this use-after-free vulnerability could lead to memory corruption, potentially enabling attackers to escalate privileges and compromise affected devices. While Qualcomm issued a patch for this vulnerability in October, its inclusion in the November Android security update ensures broader distribution and remediation.

Further emphasizing the importance of this update is the active exploitation of CVE-2024-43093, an escalation of privilege vulnerability impacting Android’s framework component. This flaw affects Android versions 12, 13, 14, and 15, potentially exposing a significant portion of the Android ecosystem to attack.

In typical fashion, Google is delivering the update in two patch levels:

November 1 Patch Level (2024-11-01): Targets core Android components, including the framework and system.
November 5 Patch Level (2024-11-05): Addresses vulnerabilities specific to certain hardware components, including those by Qualcomm, MediaTek, Imagination Technologies, and others.

Android users are strongly urged to install the November security update as soon as it becomes available for their devices. Given the active exploitation of these vulnerabilities, prompt patching is crucial to mitigate the risk of compromise.