The U.S. government, through the Cybersecurity and Infrastructure Security Agency (CISA), added the Pixel firmware vulnerability (CVE-2024-32896) to its Known Exploited Vulnerabilities (KEV) catalog4. It ordered federal employees to update their Pixel devices before July 4 or discontinue using them1. The warning is directed at government agencies, but other enterprises and personal users should also take heed, especially those connecting their devices to enterprise systems.
The KEV catalog advisory states that Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation1. This vulnerability has been added to the catalog due to evidence of active exploitation. Pixel owners are urged to update their devices before July 4 to mitigate the risk.
GrapheneOS reported two vulnerabilities, CVE-2024-29745 and CVE-2024-29748, being exploited in the wild by forensic companies. CVE-2024-29745 is a high-severity information disclosure flaw in the Pixel's bootloader, while CVE-2024-29748 is a high-severity elevation of privilege bug in the Pixel firmware. These vulnerabilities allowed companies to unlock and access memory on Google Pixel devices with physical access.