Google patched around 90 security vulnerabilities in its Android operating system impacting its Pixel devices and third-party Android handsets, including a critical RCE bug that could allow an attacker to commandeer a targeted vulnerable mobile device.
That bug (CVE-2021-0507) exists in the System component in the Android OS, and could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.A second critical vulnerability, an EoP issue tracked as CVE-2021-0516.
Google also addressed several high-severity EoP issues in other components within the OS, including one in Android runtime (CVE-2021-0511) that could enable a local attacker to execute arbitrary code and bypass user interaction requirements in order to gain access to additional permissions.
Media Framework meanwhile has four EoP issues (CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, CVE-2021-0520), the most severe of which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.
Another high-severity EoP issues (CVE-2020-14305, CVE-2021-0512) exist in the upstream kernel as well, the most severe vulnerability of which could lead to local escalation of privilege with no additional execution privileges needed.
The internet giant also addressed several high-severity information-disclosure issues for Android, such as one in Framework (CVE-2021-0521) that could lead to local information disclosure of cross-user permissions with no additional execution privileges needed.
Google didn’t release further details on any of the flaws. The security patch level of 2021-06-05 or later resolves all issues.