Google's Monthly Android Security Update: Addressing 46 Vulnerabilities, Including Actively Exploited Flaws

Google has released its monthly security update for the Android operating system, which addresses 46 new software vulnerabilities

Google has released its monthly security update for the Android operating system, which addresses 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as being actively exploited in targeted attacks. One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting Arm Mali GPU drivers for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that allowed spyware infiltration on Samsung devices in December 2022. This vulnerability was considered serious enough to prompt the Cyber and Infrastructure Security Agency (CISA) to issue a patching order to federal agencies in April 2023.

CVE-2021-29256 is a high-severity non-privileged information disclosure (CVSS v3.1:8.8) and root privilege escalation flaw that also impacts certain versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. The third vulnerability is a critical vulnerability with a score of 9.6 out of 10, identified as CVE-2023-2136. This is an integer overflow bug in Skia, Google's open-source multi-platform 2D graphics library also used in Chrome, which was fixed in April.

According to Google's July 2023 Android security bulletin, the vulnerability could be exploited to achieve remote code execution on Android devices. Devices running security patch level 2023-07-01 or later are patched against this vulnerability and 22 other security flaws in the platform's Framework and System components, including a critical severity remote code execution issue tracked as CVE-2023-21250. This security update is being rolled out in two patch levels. The initial patch level, which became available on July 1, focuses on the core components of Android, addressing 22 security flaws in the Framework and System components.

The second patch level, released on July 5, targeted kernel and closed-source components, addressing 20 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components. Chipmakers warned of exploitation of these flaws in late March and CISA added them to its Exploited Vulnerabilities catalog on April 7. Google reported in late March that CVE-2023-26083 was one of the vulnerabilities exploited by commercial spyware vendors to hack Samsung devices. It is possible that all such flaws have been exploited by companies offering surveillance solutions.

It is important to note that the impact of the vulnerabilities addressed may extend beyond the supported versions of Android (11, 12, and 13), potentially affecting older versions of the OS that no longer receive official support. Google has further rolled out a dedicated security patch for its Pixel devices, which addresses 14 vulnerabilities in the Kernel, Pixel, and Qualcomm components. Two of these critical flaws could result in elevated privilege and denial-of-service attacks.