Google on Wednesday released its monthly patches for 46 new software vulnerabilities, among them were three that may have been under limited, targeted exploitation and a critical vulnerability in the Android System component.
The first vulnerability under limited, target exploitation was CVE-2023-26083, a memory leak flaw that affected the Arm Mali GPU driver for the Bifrost and Avalon apps and Valhall chips used on Android devices.
This vulnerability was exploited in a previous attack that caused spyware infiltration on Samsung devices in December 2022. The vulnerability was serious for the Cybersecurity and Infrastructure Security Agency (CISA) to include it in its Known Exploited Vulnerabilities (KEV) catalog in April 2023.
Another significant vulnerability Google issued a patch for — CVE-2021-29256 — is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. The bug lets an unprivileged user gain unauthorized access to sensitive data and escalate privileges to the root level.
The third limited, targeted exploited vulnerability — CVE-2023-2136 — was a critical-severity bug discovered in Skia, Google's open-source 2D graphics library. It was initially disclosed as a zero-day vulnerability in the Chrome browser and lets a remote attacker who takes over the renderer process implement remote code on Android devices.
Google also patched a critical vulnerability in the Android System component. Logged as CVE-2023-21250, this vulnerability could lead to remote code execution with no additional execution privileges needed. Google reports that user interaction is not needed for exploitation.