Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Critical Flaws in Android’s System Component

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

The first part of the November 2019 Android Security Bulletin, namely the 2019-11-01 security patch level, resolves a total of 17 flaws in Framework, Library, Media framework, and System.

The most severe of these vulnerabilities is a Critical issue in the System component, which “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

A total of three Critical flaws were addressed in System, all of which could lead to remote code execution. The first of them (CVE-2019-2204) impacts Android 9, while the other two (CVE-2019-2205 and CVE-2019-2206) impact Android 8.0, 8.1, 9 and 10.

Google this month patched five other flaws in the System component, all rated High severity. Two of these are elevation of privilege bugs, while the other three are information disclosure issues.

A total of six High risk issues were fixed in Framework, namely four elevation of privilege vulnerabilities and two information disclosure bugs. Google also patched a High severity remote code execution flaw in Library and two High risk elevation of privilege issues in the Media framework.

Google also addressed 21 vulnerabilities as part of the 2019-11-05 security patch level, including two High severity Information disclosure flaws in Framework, one High risk elevation of privilege in System, and three High severity elevation of privilege and one Moderate risk information disclosure weaknesses in Kernel components.

Additionally, the 2019-11-05 security patch level includes fixes for three High severity flaws in Qualcomm components and for five Critical and six High risk security flaws in Qualcomm closed-source components. No security issues were addressed in Google Play system updates this month.

Pixel devices, however, received patches for a total of 20 vulnerabilities impacting Framework, LG components, Kernel components, Qualcomm components, and Qualcomm closed-source components, including elevation of privilege, remote code execution, and information disclosure bugs.

Affected components include Bootloader, Broadcom Firmware, Bluetooth, Crypto, EcoSystem, Audio, WLAN host, Boot, Services, Kernel, and Display.

Google also released multiple functional patches for all Pixel devices from Pixel 2 to Pixel 4 XL, to resolve issues with stability and improve audio, graphics, camera, and assistant features.

“For Google devices, security patch levels of 2019-11-05 or later address all issues in this bulletin and all issues in the November 2019 Android Security Bulletin,” Google notes in the Pixel Update Bulletin for November 2019.

Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.