Google has released its April 2019 set of security patches for the Android platform, which fixes three Critical vulnerabilities, including two that affect the Media framework component.
Tracked as CVE-2019-2027 and CVE-2019-2028, the two security flaws could be exploited remotely by attackers to execute code on vulnerable devices. Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 are impacted.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google’s advisory reads.
Both bugs were addressed as part of the 2019-04-01 security patch level, along with one High severity flaw (elevation of privilege) in Framework and 8 High risk issues in System (5 elevation of privilege and 3 information disclosure).
The second part of this month’s security fixes, included in the 2019-04-05 security patch level, addresses over 75 vulnerabilities in System and open and closed-source Qualcomm components.
The first of the four issues patched in System is a Critical remote code execution bug that impacts Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9, the same as the flaws in Media framework. The remaining three are High risk bugs (2 elevation of privilege and 1 information disclosure).
Another Critical vulnerability was addressed in Qualcomm components, along with 29 other High severity flaws. Of the 30 bugs, 29 impact WLAN HOST, and only one affects Kernel.
Of the 44 vulnerabilities patched in Qualcomm closed-source components, 6 were rated Critical and 38 were rated High severity.
No Pixel security fixes were included in the April 2019 Pixel Update Bulletin, but Google did release some functional patches for Pixel devices, to improve the functionality of assistant, Wi-Fi connectivity, and display functionality of Pixel 3 and Pixel 3 XL, and Bluetooth connectivity on Pixel and Pixel XL.
Related: Android Q Brings New Privacy and Security Features
Related: 18,000 Android Apps Violate Google’s Ad ID Policies: Analysis