Google Fixes Critical RCE Vulnerabilities in December 2024 Pixel Security Update

by do son · December 8, 2024

Image: Google

Google has rolled out its December 2024 security update for Pixel devices, addressing a total of 28 vulnerabilities, including two critical remote code execution (RCE) flaws in the Cellular baseband subcomponent. The update is being rolled out in two parts, with the first addressing six security defects in the Framework and System components and the second tackling vulnerabilities in components from Imagination Technologies, MediaTek, and Qualcomm.

The two critical vulnerabilities (CVE-2024-39343 and CVE-2024-53842) reside in the Cellular baseband subcomponent and could allow remote attackers to execute arbitrary code on vulnerable devices.

In addition to the critical RCE flaws, the update also addresses several high-severity vulnerabilities, including:

Elevation of privilege (EoP) vulnerabilities in the eSIM (CVE-2024-8257), VPN (CVE-2024-11624), and FPS (CVE-2024-53835 & CVE-2024-53840) components.
A remote code execution flaw (CVE-2024-43767) in the System component that could be exploited without any additional execution privileges

Fixes span multiple Android versions (12 through 15), with the updated source code available in the Android Open Source Project (AOSP) repository.

Google has not disclosed any information about these vulnerabilities being actively exploited in the wild. However, users are strongly encouraged to update their Pixel devices as soon as the security update becomes available to mitigate the risk of potential attacks.

The update is being rolled out in phases, so it may take some time to reach all devices. Users can manually check for updates by going to Settings > System > System update.