Critical remote code execution vulnerability in Android 12 affects millions of smartphones

The latest Android operating system update includes a patch for a critical vulnerability tracked as CVE-2021-39675 that resides in the System component and could be exploited to gain remote access or perform privilege escalation attacks on affected devices.

Although the company has not revealed extensive details about this flaw, it is mentioned that the error relates to Android’s wireless NFC code, which contains additional verification to make sure that a size parameter is not too large. Google may not want to share information about the failure due to the potential exploitation.

In addition to this flaw, Google addressed five high-severity vulnerabilities in android’s System component, including privilege escalation bugs in Android 11 and 12, and a denial of service (DoS) flaw in Android 10 and 11.

The System component isn’t the only Android implementation affected by the vulnerabilities. The report also points to the finding of five severe errors in the Android Framework component whose exploitation would allow high privileges to be obtained on vulnerable systems; these flaws could be chained with other bugs for additional attacks.

These flaws were addressed in update package 2022-02-01. An additional set of patches, issued this week, address a high-severity bug in System, one flaw in Amlogic’s Fastboot component, five bugs in MediaTek’s code, three in Unisoc code, and 10 high-severity flaws in Qualcomm’s code. Users should only apply these updates if their devices have these chipsets.

Users of Google Pixel devices will be the first to receive these updates to download and install, although the rest of the manufacturers will not have to wait too long to access the patches. Users should stay on top of each new update, as the company doesn’t usually send notifications for installation, a process that’s not without criticism of Android.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.