Google released monthly security updates for the Android operating system, which contain fixes for 46 vulnerabilities. Three of the problems are probably actively exploited in the wild.
“There are indications that the following [vulnerabilities] may be subject to limited and targeted exploitation,” reads Google newsletterhighlighting CVE-2023-26083, CVE-2021-29256 and CVE-2023-2136.
CVE-2023-26083 is a medium-severity memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips that was exploited in an exploit chain that delivered spyware to Samsung devices in December 2022.
The vulnerability was deemed severe enough to trigger a CISA Ordinance for federal agencies to fix it in April 2023.
CVE-2021-29256 is a high-severity (CVSS v3.1:8.8) non-privileged information disclosure and root elevation of privilege flaw also affecting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.
The third vulnerability is critically severe with a score of 9.6 out of 10, identified as CVE-2023-2136. This is an integer overflow bug in Skia, Google’s open-source cross-platform 2D graphics library which is also used in Chrome, where it was fixed in april.
The most serious of the security issues fixed by Google this month is CVE-2023-21250a critical vulnerability in the Android system component that affects Android versions 11, 12 and 13.
Exploiting CVE-2023-21250 could lead to remote code execution without user interaction or additional execution privileges, Google says without providing further details.
The update follows the standard system of releasing two levels of patches, one (2023-07-01) for core Android components (framework) and a second (2023-07-05) for core and sourced components gated, allowing device makers to selectively apply hardware to their models.
Those who get the first patch tier receive the current month’s framework updates and both tiers from the previous month, in this case June 2023.
Users who see the second patch level on their update screen get all of the above, plus July 2023 vendor and kernel patches.
This month’s Android security update covers Android versions 11, 12 and 13, but depending on the scope of the vulnerabilities fixed, they may impact older versions of the operating system that are not no longer supported.
In these cases, it would be advisable to replace your device with a newer model or install a third-party Android distribution that implements security updates for older devices, albeit with some delay.