Google’s December 2023 Android security updates have addressed 85 vulnerabilities. The updates include a critical zero-click remote code execution (RCE) flaw, which is tracked as CVE-2023-40088. The vulnerability exists in Android’s System component and can be triggered without requiring additional privileges.
The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
highlights the security advisory.
Accordingly, please see below for a brief overview of the critical vulnerabilities that Google has addressed.
Critical Vulnerabilities in the System Component
- CVE-2023-40088: An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable devices without any user interaction. It is the most severe vulnerability addressed in the Google December 2023 Android security updates. At the time of writing this article, this vulnerability has no CVSS score yet.
- CVE-2023-45866: The vulnerability allows an unauthenticated, remote user to escalate privileges without any user interaction. As of the time of writing this article, this vulnerability does not exist in the NIST Vulnerability Database yet.
Critical Vulnerabilities in the Framework Component
- CVE-2023-40077: This vulnerability could lead to remote escalation of privilege without requiring additional execution privileges. Furthermore, user interaction is not necessary for exploitation. The vulnerability currently lacks an assigned CVSS score, at the time of composing this article.
- CVE-2023-40076: This vulnerability could result in a local escalation of privilege, without requiring any additional execution privileges. Also, exploitation does not require user interaction. This vulnerability does not currently have an assigned CVSS score, as of the article’s writing.
Critical Vulnerability in the Qualcomm Closed-Source Components
CVE-2022-40507: This is a memory corruption issue due to double free in Core while mapping HLOS address to the list with a CVSS score of 8.4.
Vulnerabilities under Exploitation
Additionally, Google has highlighted that the following vulnerabilities might be under exploitation:
- CVE-2023-33107: This is a Qualcomm Multiple Chipsets Integer Overflow Vulnerability with a CVSS score of 8.4.
- CVE-2023-33106: Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability with a CVSS score of 8.4.
- CVE-2023-33063: It is a vulnerability affecting Qualcomm multiple chipsets due to memory corruption in DSP Services during a remote call from HLOS to DSP. This vulnerability has a CVSS score of 7.8
⚠️ Please note that CISA has also added these vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Call for Action
Accordingly, Android users should promptly update their software. For details about the vulnerabilities, please refer to Google’s security advisory. Additionally, we strongly recommend that users keep the Android system updates automatic.
Also, please note that this update comes shortly after a fix for a zero-day vulnerability in Chrome. Thus, it is important to closely monitor Google security updates.
- [CVSS 9+] Critical Fortinet Vulnerability Potentially Exploited
- [ZeroDay] Update: Active Exploit of Unpatched Cisco Vulnerabilities
- Airbus Investigates Data Breach
- Critical Security Gaps in Thousands MS Exchange Servers
- Japan Attributes PyPI Supply Chain Cyberattack to North Korea
- Employee Unauthorised Access to Medical Records in the US