The Android operating system updates released by Google for May 2021 patch a total of 42 vulnerabilities, including four considered critical severity.
Addressed as part of the 2021-05-01 security patch level, three of the critical flaws were identified in the System component and all three could be exploited remotely to execute arbitrary code on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
Tracked as CVE-2021-0473 and CVE-2021-0474, two of these bugs affect Android 8.1, 9, 10, and 11 releases, while the third, CVE-2021-0475, impacts Android 10 and 11 only.
In addition to these critical bugs, five other vulnerabilities were addressed in Android System, all rated high severity. Three of these could lead to elevation of privilege, while the remaining two may be exploited for information disclosure.
The 2021-05-01 security patch level also contains fixes for three high-severity elevation of privilege flaws in the framework component and two high-severity issues (one elevation of privilege and one information disclosure) in the media framework component.
The second part of this month’s security update, the 2021-05-05 security patch level, contains fixes for 29 vulnerabilities in Android components such as framework, kernel, AMLogic, ARM, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source.
The most important of these bugs is CVE-2021-0467, a critical vulnerability in AMLogic BootROM that could allow an attacker to execute arbitrary code at bootROM level, even before data signature is performed.
Of the remaining 28 vulnerabilities addressed with the 2021-05-05 security patch level, 27 have been rated high severity, while the last one is considered medium severity.
On May 3, Google also published information on the security patches that address vulnerabilities specific to Pixel devices, detailing a total of seven such bugs, all moderate severity.
Three of these impact kernel components, one Qualcomm components, and three others affect Qualcomm closed-source components.
Pixel devices running a security patch level of 2021-05-05 or later have patches for all of these flaws, as well as for those addressed with this month’s Android updates.