Security updates that Google released this week for Android resolve 43 vulnerabilities, including three that have been exploited in attacks.
The exploited flaws, tracked as CVE-2023-2136, CVE-2023-26083, and CVE-2021-29256, impact Android’s System and Arm Mali components.
The internet giant says “there are indications” that these security defects “may be under limited, targeted exploitation”.
CVE-2023-2136 was disclosed in April as a zero-day vulnerability in the Chrome browser, and is described as an integer overflow issue in Skia.
The bug allows “a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” a NIST advisory explains.
According to Google’s July 2023 Android security bulletin, the vulnerability can be exploited to achieve remote code execution on Android devices.
Devices running a 2023-07-01 security patch level or later are patched against this vulnerability and 22 other security defects in the platform’s Framework and System components, including a critical-severity remote code execution issue tracked as CVE-2023-21250.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” the internet giant says.
The two exploited Arm bugs were addressed as part of Android’s 2023-07-05 security patch level, which resolves a total of 20 flaws in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components.
The first of the vulnerabilities, CVE-2021-29256, is a privilege escalation vulnerability impacting the Midgard, Bifrost, and Valhall Mali GPU kernel drivers.
“A non-privileged user can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm explains in its advisory.
The second exploited Arm issue, CVE-2023-26083, is described as a memory leak vulnerability in Midgard, Bifrost, Valhall, and 5th gen Mali GPU kernel drivers.
“A non-privileged user can make valid GPU processing operations that expose sensitive kernel metadata,” Arm’s advisory reads.
The chip maker warned of this flaw’s exploitation at the end of March and CISA added it to its Known Exploited Vulnerabilities catalog on April 7.
Google reported in late March that CVE-2023-26083 was one of the vulnerabilities exploited by commercial spyware vendors to hack Samsung devices. It’s possible that all of the flaws have been exploited by companies offering surveillance solutions.
This week, Google also announced security updates for Pixel devices, to address 14 vulnerabilities in Kernel, Pixel, and Qualcomm components. Two of the flaws, leading to elevation of privilege and denial-of-service (DoS), are rated ‘critical’ severity.
Pixel devices running a 2023-07-05 security patch level are patched against all these vulnerabilities and the bugs described in the July 2023 Android security bulletin.
Google’s July 2023 Android Automotive OS security update contains patches for only one specific vulnerability, but also addresses the issues resolved with the July 2023 Android security update.
Related: Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
Related: Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones
Related: Google Announces New Rating System for Android and Device Vulnerability Reports