Android has released its August Security patches, addressing over 40 vulnerabilities.
These vulnerabilities primarily relate to remote code execution (RCE), Elevation of Privileges (EoP), and Information Disclosure (ID).
This recent batch of Android security updates has pinpointed 37 High Severity vulnerabilities and 4 Critical Severity vulnerabilities.
The most concerning among these is the discovery of RCE vulnerabilities that can operate without user interaction. Building on July’s patches, a total of 43 vulnerabilities have been addressed.
Vulnerability Categories and Areas
Android’s security teams meticulously examined various components and subcomponents to locate and address vulnerabilities.
The affected areas included:
- Android runtime,
- Media Framework,
- and processor-based components
Android Runtime Vulnerability
Within Android’s runtime, a remote information disclosure vulnerability was uncovered. Notably, this vulnerability lacked execution privileges and user interaction. It received a High severity classification and is recognized as CVE-2023-21265.
The Framework section revealed several high-severity vulnerabilities, including a critical RCE vulnerability (CVE-2023-21287). Other high-severity concerns encompassed EoP, ID, and Denial of Service (DoS).
Media Framework and System Vulnerabilities
Kernel and Processor-based Vulnerabilities
A critical Elevation of Privilege vulnerability was identified in the Kernel’s KVM subcomponent, requiring no user interaction (CVE-2023-21264). Among processor-based vulnerabilities, Qualcomm’s closed-source components exhibited a critical vulnerability, while Arm’s Mali and MediaTek’s keyinstall subcomponents displayed high-severity vulnerabilities (CVE-2022-40510, CVE-2023-20780, and CVE-2022-34830, respectively).