Google has released updates for Android 10, 11, 12 and 12L as part of May Security Bulletin. Also released updates for Pixel devices to improve security and other functional operations
Three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users which included in these two bulletins.
The first one is a RCE vulnerability tracked as CVE-2022-20120 in the Android bootloader. By default, bootloader will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has not been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.
The next in the list is information disclosure vulnerability tracked as CVE-2022-20117. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.
Thrid vulnerability tracked as CVE-2021-35090. Listed by Qualcomm as a Time-of-check Time-of-use Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.
None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed.
For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins.