Google has rolled out its month to month stability patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it claimed is currently being actively exploited in the wild in minimal, specific attacks.
Tracked as CVE-2021-1048, the zero-day bug is described as a use-soon after-no cost vulnerability in the kernel that can be exploited for regional privilege escalation. Use-following-absolutely free problems are hazardous as it could permit a danger actor to accessibility or referencing memory after it has been freed, leading to a “write-what-the place” situation that outcomes in the execution of arbitrary code to achieve handle in excess of a victim’s system.
“There are indications that CVE-2021-1048 may perhaps be beneath limited, targeted exploitation,” the organization observed in its November advisory without the need of revealing technological aspects of the vulnerability, the mother nature of the intrusions, and the identities of the attackers that may perhaps have abused the flaw.
Also remediated in the safety patch are two significant distant code execution (RCE) vulnerabilities — CVE-2021-0918 and CVE-2021-0930 — in the Technique part that could make it possible for remote adversaries to execute malicious code in the context of a privileged method by sending a specially-crafted transmission to specific units.
Two far more critical flaws, CVE-2021-1924 and CVE-2021-1975, have an impact on Qualcomm closed-supply elements, whilst a fifth vital vulnerability in Android Television set (CVE-2021-0889) could permit an attacker in shut proximity to silently pair with a Television and execute arbitrary code with no privileges or user conversation needed.
With the hottest spherical of updates, Google has addressed a complete of 6 zero-times in Android since the begin of the 12 months —
- CVE-2020-11261 (CVSS score: 8.4) – Incorrect input validation in Qualcomm Graphics part
- CVE-2021-1905 (CVSS score: 8.4) – Use-just after-free in Qualcomm Graphics component
- CVE-2021-1906 (CVSS rating: 6.2) – Detection of mistake situation without having action in Qualcomm Graphics part
- CVE-2021-28663 (CVSS rating: 8.8) – Mali GPU Kernel Driver enables poor functions on GPU memory
- CVE-2021-28664 (CVSS rating: 8.8) – Mali GPU Kernel Driver elevates CPU RO pages to writable