Google releases fix for 3 actively exploited bugs for Android

"There are indications that the following (vulnerabilities) may be under limited, targeted exploitation -- CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136," reads Android Security Bulletin.

Update: 2023-07-07 03:22 GMT

Representative image

SAN FRANCISCO: Google has released the monthly security updates for the Android operating system, which come with fixes for 46 vulnerabilities, along with the fix for three actively exploited bugs.

"There are indications that the following (vulnerabilities) may be under limited, targeted exploitation -- CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136," reads Android Security Bulletin.

According to BleepingComputer, CVE-2023-26083 is a medium-severity memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips that was exploited in a December 2022 exploit chain that delivered spyware to Samsung devices.

CVE-2021-29256 is a critical (CVSS v3.1: 8.8) unprivileged information disclosure and root privilege escalation vulnerability that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

The third vulnerability, CVE-2023-2136, is a critical-severity one with a score of 9.6 out of 10 as it is an integer overflow bug in Skia, Google's open-source multi-platform 2D graphics library that is also used in Chrome, where it was fixed in April, the report said.

Moreover, the report mentioned that CVE-2023-21250, a critical vulnerability in Android's System component that affects Android versions 11, 12, and 13, is the most serious of the security issues that Google fixed this month.

The Android security update for this month covers Android versions 11, 12, and 13, but depending on the scope of the addressed vulnerabilities, they may affect older OS versions that are no longer supported.

Last month, Google issued a security update for the Chrome web browser to address the third zero-day vulnerability exploited by hackers this year.

"Google is aware that an exploit for CVE-2023-3079 exists in the wild," Google said in a blogpost. 

Tags:    

Similar News