What it’s essential to know
- Google discovered a safety flaw in Android that allowed for distant code execution, which it described as a “vital safety vulnerability.”
- The vulnerability is what is called a “zero-click” flaw, that means it requires no interplay to be exploited.
- Google is offering OEMs with a repair by way of the Android Open Supply Venture, nevertheless it’ll be as much as every cellphone maker to ship updates to their smartphones.
Google found a “vital safety vulnerability” in Android that makes it attainable for a distant hacker to execute code in your cellphone, it stated in December’s Android Safety Bulletin. The corporate has already offered Android cellphone producers with a repair, however every OEM should ship out its personal replace to patch the safety flaw.
The bug has been assigned CVE-2023-40088 within the Nationwide Vulnerability Database, which supplies extra data. In response to the NVD report, the difficulty surfaces when the Android cellphone tries to run a callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp. Throughout this motion, it is attainable for reminiscence to be corrupted with a use-after-free vulnerability.
Basically, this downside causes Android telephones to entry com_android_bluetooth_btservice_AdapterService.cpp with out authorization after the system’s reminiscence has already been deallocated. This might permit a distant hacker to entry an Android cellphone, executing code with none consumer motion wanted.
Whereas this flaw might be executed remotely, it’s value noting {that a} would-be attacker must be comparatively close to you for it to work. It may be exploited by way of Wi-Fi, Bluetooth, or NFC wi-fi connection.
Google has despatched a repair for Android variations 11, 12, 12L, 13, and the newest Android 14 by way of the Android Open Supply Venture. Presumably, this implies Android telephones on these variations are affected by the bug. Since this situation permits for distant code execution with no consumer interplay wanted, it is some of the extreme varieties of safety vulnerabilities.
Neither Google nor the NVD specifies whether or not the bug has been actively exploited within the wild. Normally, this may be acknowledged within the occasion a safety flaw has been exploited, however we do not know for certain. Google did not add any extra context for the vulnerability, which is to be anticipated. The corporate will seemingly not present extra data till the difficulty has been patched and the vast majority of lively units have been up to date.
Nonetheless, because the patch shall be launched by way of the AOSP, you will not see an replace instantly. The replace shall be despatched out over the subsequent couple of days, however every Android OEM must ship out the repair after that. Pixel telephones might be the primary to obtain the patch, however timelines can fluctuate for different manufacturers.
Contemplating the severity of this situation, maintain an eye fixed out for a safety replace this month when you use an Android smartphone.
