Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Critical Flaws in Android’s System Component

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

Google this week released its November 2019 set of security patches for Android to address nearly 40 vulnerabilities affecting the platform, including critical flaws in the System component.

The first part of the November 2019 Android Security Bulletin, namely the 2019-11-01 security patch level, resolves a total of 17 flaws in Framework, Library, Media framework, and System.

The most severe of these vulnerabilities is a Critical issue in the System component, which “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

A total of three Critical flaws were addressed in System, all of which could lead to remote code execution. The first of them (CVE-2019-2204) impacts Android 9, while the other two (CVE-2019-2205 and CVE-2019-2206) impact Android 8.0, 8.1, 9 and 10.

Google this month patched five other flaws in the System component, all rated High severity. Two of these are elevation of privilege bugs, while the other three are information disclosure issues.

A total of six High risk issues were fixed in Framework, namely four elevation of privilege vulnerabilities and two information disclosure bugs. Google also patched a High severity remote code execution flaw in Library and two High risk elevation of privilege issues in the Media framework.

Google also addressed 21 vulnerabilities as part of the 2019-11-05 security patch level, including two High severity Information disclosure flaws in Framework, one High risk elevation of privilege in System, and three High severity elevation of privilege and one Moderate risk information disclosure weaknesses in Kernel components.

Additionally, the 2019-11-05 security patch level includes fixes for three High severity flaws in Qualcomm components and for five Critical and six High risk security flaws in Qualcomm closed-source components. No security issues were addressed in Google Play system updates this month.

Pixel devices, however, received patches for a total of 20 vulnerabilities impacting Framework, LG components, Kernel components, Qualcomm components, and Qualcomm closed-source components, including elevation of privilege, remote code execution, and information disclosure bugs.

Affected components include Bootloader, Broadcom Firmware, Bluetooth, Crypto, EcoSystem, Audio, WLAN host, Boot, Services, Kernel, and Display.

Google also released multiple functional patches for all Pixel devices from Pixel 2 to Pixel 4 XL, to resolve issues with stability and improve audio, graphics, camera, and assistant features.

“For Google devices, security patch levels of 2019-11-05 or later address all issues in this bulletin and all issues in the November 2019 Android Security Bulletin,” Google notes in the Pixel Update Bulletin for November 2019.

Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet