Android’s April 2023 Updates Patch Critical Remote Code Execution Vulnerabilities

Google this week announced the April 2023 security updates for Android devices, with patches for over 65 vulnerabilities, including two critical bugs leading to remote code execution (RCE).

Google’s Android security bulletin for April 2023 describes 26 vulnerabilities resolved in the Framework and System components as part of the 2023-04-01 security patch level. Most of these are high-severity flaws leading to elevation of privilege (EoP) or information disclosure.

Two of the 16 issues addressed in System, however, are critical-severity RCE bugs, tracked as CVE-2023-21085 and CVE-2023-21096.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” Google explains.

The second part of Android’s April 2023 security update arrives on devices as the 2023-04-05 security patch level and includes fixes for 40 vulnerabilities in kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.

While most of these bugs are rated ‘high severity’, four of the issues impacting Qualcomm components are considered ‘critical severity’.

For the second month in the row, Google has not published a Pixel security bulletin on the same day that it announced the Android patches. However, Pixel users did receive an update in March, although they had to wait a few more days for it to arrive.

No Android Automotive OS security patches were announced this month either.

Related: Android’s March 2023 Updates Patch Over 50 Vulnerabilities

Related: Google Describes Privacy, Security Improvements in Android 14

Related: Android’s February 2023 Updates Patch 40 Vulnerabilities