Google released Android Security Bulletin for May 2021 security updates that address four zero-day vulnerabilities that were exploited in the wild.
Android Security Bulletin for May 2021 security updates address four zero-day vulnerabilities, tracked as CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664, that were actively exploited in the wild.
The four vulnerabilities impact Qualcomm GPU and Arm Mali GPU Driver components, according to Google Project Zero researchers the attacks exploiting them targeted a limited number of users.
CVE-ID | Impact |
CVE-2021-1905 | Use After Free in Graphics. Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. |
CVE-2021-1906 | Improper handling of address deregistration on failure can lead to new GPU address allocation failure. |
CVE-2021-28663 | A non-privileged user can make improper operations on GPU memory to enter into a use-after-free scenario and may be able to gain root privilege, and/or disclose information. |
CVE-2021-28664 | A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes. |
“The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications.” reads the Android Security Bulletin. “There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation.”
Android addresses three critical issues, tracked as CVE-2021-0473, CVE-2021-0474, CVE-2021-0475 impacting the System component and one critical flaw tracked as CVE-2021-0467 in the AMLogic.
The critical issues in the System component could be exploited by remote attackers using a specially crafted file to execute arbitrary code within the context of a privileged process.
Android users should install the updates as soon as possible.
To read the original article:
https://securityaffairs.co/wordpress/118089/mobile-2/android-4-zero-day-flaws.html