Twitter / X: https://twitter.com/GrapheneOS/status/1787861645395362093
Mastodon: https://grapheneos.social/@GrapheneOS/112400427658505385
Bluesky: https://bsky.app/profile/grapheneos.org/post/3krvualkgxf2y
Google has listed the CVE-2024-23694 vulnerability we reported in the security acknowledgements for May 2024:
https://source.android.com/docs/security/overview/acknowledgements
This is the Bluetooth issue we found with memory tagging which they assigned a High severity:
https://grapheneos.social/@GrapheneOS/112066872276203917
We fixed this on March 9th.
This vulnerability isn't listed in the baseline Android Security Bulletin despite being an Android Open Source Project issue. It will likely be listed in the Pixel Update Bulletin which should be today with the monthly update of AOSP and the Pixel OS:
https://grapheneos.social/@GrapheneOS/112398434880567630
This vulnerability only impacts Android 14 QPR2 and later. It's possible they only list issues impacting the initial release of Android 14 in Android Security Bulletins and put the rest in Pixel bulletins. It's odd how Pixel bulletins are mostly issues impacting other devices.
Last month, Pixels fixed 2 vulnerabilities we reported which were both classified as High severity and were both exploited in the wild by forensic companies:
https://grapheneos.social/@GrapheneOS/112204428984003954
Both also impact non-Pixels but were only fixed for Pixels and listed in the Pixel bulletin.
We understand why they didn't list those firmware patches in the Android Security Bulletin (ASB) since other devices with the same issues need their own firmware patches for them.
The AOSP 14 QPR2 Bluetooth bug not being listed means ASB is less complete than we thought though.
As we expected, it's listed in the Pixel Update Bulletin despite being an Android Open Source Project vulnerability and patch:
https://source.android.com/docs/security/bulletin/pixel/2024-05-01
Android Security Bulletins only cover the subset of High/Critical severity patches backported to the baseline yearly releases.