Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Critical RCE Vulnerabilities in Android’s System Component

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component.

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component.

All of the four critical bugs addressed this month in Android’s System could lead to remote code execution, and all impact Android 8.0, 8.1, 9, and 10. Fixes for the flaws will be delivered to all devices running the 2020-04-01 security patch level or newer.

The vulnerabilities are tracked as CVE-2020-0070, CVE-2020-0071, CVE-2020-0072, and CVE-2020-0073.

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.

Patches for eight other issues were included in the 2020-04-01 security patch level, namely six vulnerabilities in the Framework component (four high risk elevation of privilege, one high severity information disclosure, and one moderate risk information disclosure), and two in Media framework (both high severity elevation of privilege flaws).

The second part of Google’s April 2020 Android Security Bulletin will arrive on devices as 2020-04-05 security patch level, delivering patches for 43 vulnerabilities.

These include components such as Framework (one high severity information disclosure), Kernel components (three high risk elevation of privilege bugs), FPC components (a high risk elevation of privilege bug and two moderate severity information disclosure issues), Qualcomm components (one critical and five high severity), and Qualcomm closed-source components (eight critical and twenty-two high risk).

Google also released a new set of security patches for Pixel devices to address a total of 14 vulnerabilities: two in Kernel components, nine in Qualcomm components, and three in Qualcomm closed-source components. All of these bugs feature a moderate severity rating.

On Google devices, a security patch level of 2020-04-05 or later addresses all of the vulnerabilities included in the Android Security Bulletin—April 2020 and Pixel Update Bulletin—April 2020.

Related: Google Patches Critical Remotely Exploitable Android Bug

Related: ‘Cookiethief’ Android Malware Hijacks Facebook Accounts

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.