Google has rolled out its monthly security updates for the Android operating system, addressing a total of 46 vulnerabilities. Three of these vulnerabilities, including CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136, are believed to be actively exploited in targeted attacks.
CVE-2023-26083, a medium-severity flaw in the Arm Mali GPU driver, was used in a spyware exploit chain targeting Samsung devices in December 2022.
Another high-severity vulnerability, CVE-2021-29256, affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers, enabling unprivileged information disclosure and root privilege escalation. The third vulnerability, CVE-2023-2136, is a critical-severity integer overflow bug in Skia, a 2D graphics library used in Google Chrome.
The most severe vulnerability addressed in the update is CVE-2023-21250, a critical flaw in Android’s System component impacting versions 11, 12, and 13. Exploiting this vulnerability could result in remote code execution without user interaction or additional privileges.
Google’s patch release includes two levels: one for core Android components and another for kernel and closed-source components, allowing device manufacturers to selectively apply the fixes based on their hardware models.
Users are advised to promptly install the security updates to ensure their devices are protected against potential exploitation. While the update covers Android versions 11, 12, and 13, older unsupported OS versions may still be impacted by the addressed vulnerabilities.
In such cases, users are recommended to consider upgrading to a newer device or installing a third-party Android distribution that provides security updates, albeit with some delay.