Google has released its April 2024 Android security patches that address multiple vulnerabilities, including two zero-day flaws affecting Pixel smartphones.
One of the zero-days is CVE-2024-29745, an information disclosure flaw in the bootloader component that can allow a local application to gain access to sensitive data. The second zero-day, tracked as CVE-2024-29748, is described as an improper input validation issue that can lead to remote code execution.
The internet giant didn’t reveal any details regarding the exploitation of the flaws, only noting in a security advisory that “there are indications that the following may be under limited, targeted exploitation.”
According to maintainers of GrapheneOS, the above mentioned vulnerabilities “are being actively exploited in the wild by forensic companies.”
“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory,” the researchers said in a series of publications on X.
They also noted that CVE-2024-29748 may be exploited by attackers to interrupt a factory reset triggered by a device admin app.
At present, it’s unclear what forensic firms are exploiting CVE-2024-29745 and CVE-2024-29748 and how exactly they are doing it.