Google has rolled out its monthly protection patches for Android with fixes for 39 flaws, in conjunction with a zero-day vulnerability that it discussed is being actively exploited all through the wild in limited, targeted attacks.
Tracked as CVE-2021-1048, the zero-day laptop virus is described as a use-after-free vulnerability all through the kernel that can be exploited for local privilege escalation. Use-after-free issues are bad as it’s going to allow a risk actor to get right to use or referencing memory after it is been freed, leading to a “write-what-where” situation that leads to the execution of arbitrary code to seize keep watch over over a victim’s device.
“There are indications that CVE-2021-1048 is also under limited, targeted exploitation,” the company widely recognized in its November advisory without revealing technical details of the vulnerability, the nature of the intrusions, and the identities of the attackers that may have abused the flaw.
Moreover remediated all through the protection patch are two crucial far off code execution (RCE) vulnerabilities — CVE-2021-0918 and CVE-2021-0930 — all through the Machine segment that can allow far off adversaries to execute malicious code within the context of a privileged process by the use of sending a specially-crafted transmission to targeted gadgets.
Two additional crucial flaws, CVE-2021-1924 and CVE-2021-1975, impact Qualcomm closed-source portions, while a fifth crucial vulnerability in Android TV (CVE-2021-0889) would perhaps permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with out a privileges or shopper interaction required.
- CVE-2020-11261 (CVSS rating: 8.4) – Wrong input validation in Qualcomm Graphics segment
- CVE-2021-1905 (CVSS rating: 8.4) – Use-after-free in Qualcomm Graphics segment
- CVE-2021-1906 (CVSS rating: 6.2) – Detection of error situation without movement in Qualcomm Graphics segment
- CVE-2021-28663 (CVSS rating: 8.8) – Mali GPU Kernel Driving force shall we in mistaken operations on GPU memory
- CVE-2021-28664 (CVSS rating: 8.8) – Mali GPU Kernel Driving force elevates CPU RO pages to writable