Android Security Updates: Over 40 Vulnerabilities Including Critical RCE Patched

Android has released its August Security patches in which more than 40 vulnerabilities have been identified and fixed. Most of the vulnerabilities were related to remote code execution (RCE), Elevation of Privileges (EoP), and Information Disclosure (ID).

The vulnerabilities contribute to 37 High Severity vulnerabilities and 4 Critical Severity vulnerabilities. Most critical one was found to be the remote code execution vulnerabilities without user interaction. As of July patches, 43 vulnerabilities were patched by Android.

Vulnerability and Category

Android has gone through every component and subcomponents to find the nook and corner of every vulnerability and patch them accordingly. These vulnerabilities were related to Android runtime, Framework, Media Framework, System, and components like Kernel and processor-based components. 

Android runtime was discovered with only a remote information disclosure vulnerability which did not include any execution privileges or user interaction. The vulnerability was classified as a High severity with a CVE-2023-21265.

The Framework section of Android security patches showed several high-severity vulnerabilities; the most critical one was a remote code execution vulnerability with a CVE-2023-21287. Other high-severity vulnerabilities were related to EoP, ID, and DoS (Denial of Service).

The MediaFramework and System sections had only one critical severity vulnerability with CVE-2023-21282 and CVE-2023-21273, which were found to be Remote code execution.

Kernel level vulnerabilities had one critical severity vulnerability which was found to be an Elevation of Privilege (EoP) category present in the KVM subcomponent. This did not require any user interaction for exploitation. The CVE was given as CVE-2023-21264

Processor-based vulnerabilities section showed one critical in Qualcomm closed-source components and one high severity vulnerability in each Arm subcomponent Mali and MediaTek subcomponent keyinstall . The CVEs were CVE-2022-40510 (Qualcomm), CVE-2023-20780 (MediaTek), and CVE-2022-34830 (Arm).

For detailed information on the vulnerabilities and patches, refer to the security bulletin released by Android.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.