Google on Monday announced that the December 2023 Android security updates deliver patches for 94 vulnerabilities.
The first part of the updates – the 2023-12-01 security patch level – resolves 33 vulnerabilities in Android’s Framework and System components. Three of these are rated ‘critical severity’.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed,” Google notes in its advisory.
Tracked as CVE-2023-40088, the RCE flaw impacts Android 11, 12, 12L, 13, and 14 and does not require user interaction for successful exploitation, the internet giant explains.
The latest Android update resolves 15 other issues in the System component, namely 10 elevation of privilege issues and five information disclosure bugs. All are rated ‘high severity’.
The update also patches 17 vulnerabilities in the Framework component, including two critical bugs leading to elevation of privilege and information disclosure.
A total of 61 issues were resolved with the second part of this month’s Android updates – the 2023-12-05 security patch level –, including two critical-severity flaws.
The bugs impact System, Arm, Imagination Technologies, MediaTek, Misc OEM, Unisoc, and Qualcomm components.
The 2023-12-05 security patch level resolves all 61 issues and the vulnerabilities addressed as part of the 2023-12-01 security patch level.
On Monday, Google also announced that patches for an elevation of privilege vulnerability (CVE-2023-40094) were included in the December 2023 Wear OS security update. No CVE is mentioned in the December 2023 Android Automotive security bulletin.
The company has yet to publish a security bulletin describing this month’s updates for Pixel devices.
Google makes no mention of any of the vulnerabilities addressed this month being exploited in the wild.