Google has released patches for 28 security vulnerabilities, 11 of which where critical flaws, affecting the Android operating system. Three of the critical bugs are remote code execution (RCE) flaws that could be exploited by attackers to run arbitrary code on vulnerable devices. The RCE vulnerabilities, tracked as CVE-2019-2184, CVE-2019-2185 and CVE-2019-2186, were found in Android’s Media framework. According to Google, one of these flaws is particularly severe as it could enable threat actors to use “a specially crafted file to execute arbitrary code within the context of a privileged process.”
The initial security bulletin did not include a fix for the recently uncovered critical zero-day flaw that could allow threat actors to compromise a range of popular Android phones at the kernel level. However, Google eventually updated the bulletin to include a patch for this flaw.
Read more: Google October Android Security Update Fixes Critical RCE Flaws