Google released patches for 16 Android vulnerabilities, with seven of the updates considered critical vulnerabilities. Google rated ten of the patches as high priority and two as moderate priority.
The most serious vulnerability (CVE-2016-0815 and CVE-2016-0816), a Mediaserver vulnerability allows email, web, video or text message attachments containing malware to execute remote code on affected devices. Android's Mediaserver platform was affected by the Stagefright vulnerability last July.
Google also patched critical vulnerabilities that allowed elevated privileges affecting the libvpx library (CVE-2016-1621), Conscrypt (CVE-2016-0818), Qualcomm Performance component (CVE-2016-0819), MediaTek Wi-Fi driver (CVE-2016-0820), and keyring (CVE-2016-0728).
“Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier,” Google stated in a security update. ““We have had no reports of active customer exploitation of these newly reported issues.”
The security update, published on Monday, noted that patches will be released to Android's open source repository within 48 hours. Nexus devices have received updates, but other device manufacturers will release software updates on their own timeline.