Android July security updates fix three actively exploited bugs

Google has released the monthly security updates for Android operating system, which comes with fixes for 46 vulnerabilities. Three of the issues are likely actively exploited in the wild.

“There are indications that the following [vulnerabilities] may be under limited, targeted exploitation,” reads Google’s bulletin, highlighting CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136.

CVE-2023-26083 is a medium-severity memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, which was leveraged in an exploit chain that delivered spyware to Samsung devices in December 2022.

The vulnerability was deemed sufficiently severe to trigger a CISA order for federal agencies to patch it in April 2023.

CVE-2021-29256 is a high-severity (CVSS v3.1: 8.8) unprivileged information disclosure and root privilege escalation flaw also impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

The third vulnerability is a critical-severity one with a score of 9.6 out of 10, identified as CVE-2023-2136. It is an integer overflow bug in Skia, Google’s open-source multi-platform 2D graphics library that is also used in Chrome, where it was fixed in April.

The most severe of the security problems that Google fixed this month is CVE-2023-21250, a critical vulnerability in Android’s System component that impacts Android versions 11, 12, and 13.

Exploiting CVE-2023-21250 could lead to remote code execution with no user interaction or additional execution privileges, Google says without providing extra details.

The update follows the standard system of releasing two patch levels, one (2023-07-01) for core Android components (framework) and a second (2023-07-05) for kernel and closed source components, allowing device manufacturers to selectively apply what concerns their models’ hardware.

Those getting the first patch level receive the current month’s framework updates and both levels of the previous month, in this case, June 2023.

Users who see the second patch level on their update screen get all the above, plus the July 2023 vendor and kernel patches.

This month’s Android security update covers Android versions 11, 12, and 13, but depending on the scope of the addressed vulnerabilities, they may impact older OS versions that are no longer supported.

In those cases, replacing your device with a newer model or installing a third-party Android distribution that implements security updates for older devices, albeit at a delay, would be advisable.

Source