Google released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, including five with a critical severity rating and one exploited since at least last December.

The new security patch level 2023-06-05 includes a fix for CVE-2022-22706a very serious flaw in Arm’s Mali GPU core driver that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones.

“There are indications that CVE-2022-22706 may be subject to limited and targeted exploitation,” it read. The latest newsletter from Google. CISA too Underline active exploitation of CVE-2022-22706 in an advisory published at the end of March.

With a score of 7.8 out of 10, the high-severity security issue allows unprivileged users to gain write access to read-only memory pages.

According to Arm, the issue affects the following kernel driver versions:

• Midgard GPU Core Driver: All versions from r26p0 to r31p0
• Bifrost GPU core driver: all versions from r0p0 to r35p0
• Valhall GPU Core Driver: All versions from r19p0 to r35p0

The arm solved the problem in Bifrost and Valhall GPU Kernel Driver r36p0 and in Midgard Kernel Driver r32p0, but the fix has only made it to stable Android now.

It should be noted that Samsung has addressed CVE-2022-22706 in its May 2023 Update. The company’s quick response to the active exploitation of the flaw is likely due to its users being explicitly targeted by the spyware campaign.

Critical-severity flaws fixed in this month’s Android update include:

1. CVE-2023-21127 – Remote code execution flaw in Android Framework, impacting Android 11, 12 and 13. Fixed in security patch level “2023-06-01”.
2. CVE-2023-21108 – Remote code execution flaw in the Android system, affecting Android 11, 12 and 13. Fixed in security patch level “2023-06-01”.
3. CVE-2023-21130 – Remote code execution flaw in the Android system, impacting Android 13. Fixed in security patch level “2023-06-01”.
4. CVE-2022-33257 – Critical flaw of undefined type, impacting closed components of Qualcomm. Fixed in security patch level “2023-06-05”.
5. CVE-2022-40529 – Critical flaw of undefined type, impacting closed components of Qualcomm. Fixed in security patch level “2023-06-05”.

Devices running Android 10 or earlier are no longer supported and will not receive this security update.

Users of obsolete devices should be aware of the risk of potential impact. They either have to upgrade to a newer and actively supported Android model, or turn to a third-party Android distribution that still provides security patches, even though these are usually delayed.