The Android platform’s monthly security update from Google includes fixes for 56 vulnerabilities, five of which have a critical severity rating and one that has been exploited since at least December of last year.
A patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes may have been used in a spyware campaign targeting Samsung phones, is included in the new security patch level 2023-06-05.
According to Google’s most recent bulletin, “There are indications that CVE-2022-22706 may be under limited, targeted exploitation.” In a March advisory, CISA also highlighted the active exploitation of CVE-2022-22706.
The high-severity security flaw grants non-privileged users write access to read-only memory pages, earning it a score of 7.8 out of 10.
Arm claims that the problem affects the following kernel driver versions:
Driver for Midgard GPU Kernel: From r26p0 to r31p0
Bifrost GPU Kernel Driver: From r0p0 to r35p0,
Valhall GPU Kernel Driver is available. Arm fixed the problem in Bifrost and Valhall GPU Kernel Driver r36p0
Midgard Kernel Driver r32p0 (all versions from r19p0 to r35p0), but the fix is only now in the stable version of Android.
It is important to note that Samsung fixed CVE-2022-22706 in its update for May 2023. The fact that the spyware campaign explicitly targeted the company’s customers is likely the reason for the company’s swift response to the active exploitation of the flaw.
The following are the critical-severity flaws fixed in the Android update this month:
CVE-2023-21127 – Remote code execution flaw in Android Framework, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
CVE-2023-21108 – Remote code execution flaw in Android System, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
CVE-2023-21130 – Remote code execution flaw in Android System, impacting Android 13. Fixed in security patch level “2023-06-01.”
CVE-2022-33257 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
CVE-2022-40529 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
This security update is not available for devices running Android 10 or later because they are no longer supported.
Users of out-of-date devices ought to be aware of the possibility of an impact. They should either upgrade to a more recent Android model that is actively supported or use a third-party Android distribution that still provides security updates, despite the fact that these typically take some time to arrive.