Google has published its Android Security Bulletin for June, which contains details of over 40 security vulnerabilities affecting Android devices and related patches.
The most severe of these issues was a critical security vulnerability in the system component that could lead to remote code execution [RCE] with no additional execution privileges needed.
The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.Google Advisory
Tracked as CVE-2022-20127, the vulnerability could affect unpatched systems running Android versions 10, 11, 12, and 12L. Other RCE vulnerabilities mentioned in the bulletin that could affect the Framework, Media Framework, and Kernel of certain Android devices.
Google also addressed vulnerabilities deriving from the hardware of certain manufacturers, including MediaTek and Qualcomm components as well as Motorola’s Unisoc chips.
The 2022-06-01 security patch reportedly fixed the four, critical vulnerabilities mentioned above, alongside five security bugs in Framework, 13 in the System component, and 18 others across Kernel, MediaTek, Unisoc, and Qualcomm closed-source components.
The Security patch levels of 2022-06-05 (or later), on the other hand, address all issues associated with the 2022-06-05 security patch level and all previous patch levels.
Google added that for some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-06-01 security patch level.
Despite patching flaws, recent data from Check Point showed how thousands of mobile apps exposed user data due to the misconfiguration of back-end cloud databases back in March and, the CISA added 41 vulnerabilities to its catalog of known exploited flaws, including two concerning Android systems