Google patched 28 vulnerabilities during the April Android patch cycle, including one critical one. This vulnerability makes phones with Qualcomm chipsets susceptible to remote attacks. Another high priority vulnerability zit in Android’s native code and allowed malicious apps to escalate their permissions without user interaction.
The latter vulnerability could allow such apps to access data or perform actions outside their normal scope. Google classifies the impact of this leak as ‘high’, security.nl reports. Both vulnerabilities are also mentioned in Google’s own April security bulletin.
Cause buffer overflow
The critical leak in Android devices with a Qualcomm chipset concerns a security flaw in the data modem. This allows an attacker to cause a buffer overflow during the verification of a DTLS protocol handshake. This makes it possible to execute code, so-called code injection. The severity of this vulnerability, which has been assigned the code CVE-2023-28582, is rated 9.8 out of 10 on the CVSS vulnerability scale. This vulnerability is included in Quallcomm’s own security bulletin.
Google not only fixes bugs in the code of their own Android operating system, but also in components from chip manufacturers such as Qualcomm and MediaTek. The DRM system Widevine, developed by Google, also receives the updates. The company uses specific dates. Devices receiving the April updates will have patch levels of ‘2024-04-01’ or ‘2024-04-05’.
Manufacturers must add all patches from the April Android Bulletin to their own updates and make them available to their users. These updates are available for Android 12, 12L, 13 and 14.
Similar to leak from January
In the January Android security update, Google patched a similar vulnerability that occurred in phones with the Qualcomm chip. This leak was also in the data modem and, like the most recent leak, concerned the risk that telephones could be attacked remotely via code insertion in the event of a buffer overflow.
Google reports that manufacturers were notified of the vulnerabilities at least a month ago, but as always, it is not guaranteed that all Android devices will receive the updates in a timely manner. This is due to stopped support by manufacturers or a delayed rollout of the updates.
Also read: Second preview Android 15 offers satellite communication features
Tags: Google patches critical Android leak devices Qualcomm chipsets
