Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Updates for May 2021 Patch Over 40 Vulnerabilities

The Android operating system updates released by Google for May 2021 patch a total of 42 vulnerabilities, including four considered critical severity.

The Android operating system updates released by Google for May 2021 patch a total of 42 vulnerabilities, including four considered critical severity.

Addressed as part of the 2021-05-01 security patch level, three of the critical flaws were identified in the System component and all three could be exploited remotely to execute arbitrary code on a vulnerable device.

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

Tracked as CVE-2021-0473 and CVE-2021-0474, two of these bugs affect Android 8.1, 9, 10, and 11 releases, while the third, CVE-2021-0475, impacts Android 10 and 11 only.

In addition to these critical bugs, five other vulnerabilities were addressed in Android System, all rated high severity. Three of these could lead to elevation of privilege, while the remaining two may be exploited for information disclosure.

The 2021-05-01 security patch level also contains fixes for three high-severity elevation of privilege flaws in the framework component and two high-severity issues (one elevation of privilege and one information disclosure) in the media framework component.

The second part of this month’s security update, the 2021-05-05 security patch level, contains fixes for 29 vulnerabilities in Android components such as framework, kernel, AMLogic, ARM, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source.

The most important of these bugs is CVE-2021-0467, a critical vulnerability in AMLogic BootROM that could allow an attacker to execute arbitrary code at bootROM level, even before data signature is performed.

Of the remaining 28 vulnerabilities addressed with the 2021-05-05 security patch level, 27 have been rated high severity, while the last one is considered medium severity.

On May 3, Google also published information on the security patches that address vulnerabilities specific to Pixel devices, detailing a total of seven such bugs, all moderate severity.

Three of these impact kernel components, one Qualcomm components, and three others affect Qualcomm closed-source components.

Pixel devices running a security patch level of 2021-05-05 or later have patches for all of these flaws, as well as for those addressed with this month’s Android updates.

Related: Google Patches Critical Code Execution Vulnerability in Android

Related: Google Patches Critical Remote Code Execution Vulnerability in Android

Related: Google Patches Over a Dozen High-Severity Privilege Escalation Flaws in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet