Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Remote Code Execution Bugs in Android 10

Google’s October 2019 set of security patches for Android address a total of 26 vulnerabilities in the operating system, including a couple of remote code execution bugs impacting Android 10.

Google’s October 2019 set of security patches for Android address a total of 26 vulnerabilities in the operating system, including a couple of remote code execution bugs impacting Android 10.

The most important of these vulnerabilities are three remote code execution flaws in the Media framework (CVE-2019-2184, CVE-2019-2185, and CVE-2019-2186), all three rated Critical on Android 7.1.1, 7.1.2, 8.0, 8.1, and 9.

“The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

CVE-2019-2185 and CVE-2019-2186 also impact the latest platform iteration, Android 10. However, their impact is mitigated due to safety improvements in the operating system, and they are considered only Medium risk on this version.

All three issues are addressed on devices running 2019-10-01 security patch level, which also includes patches for High severity vulnerabilities in Framework (elevation of privilege), Media framework (information disclosure), and System (elevation of privilege and information disclosure).

The second part of this month’s updates is delivered via the 2019-10-05 security patch level, which includes fixes for a High severity bug in the Kernel component, three High risk issues in Qualcomm components, and 8 Critical and 7 High severity vulnerabilities in Qualcomm closed-source components.

In addition to these security updates, Google released a separate set of patches for Pixel devices, to address vulnerabilities specific to them.

The Internet giant also notes that Pixel 1 and Pixel 2 phones will receive a fix for CVE-2019-2215 as part of the October update (Pixel 3 and Pixel 3a are not vulnerable). The vulnerability is an elevation of privilege that has already been exploited in attacks.

The update also includes a fix for a High risk information disclosure in Framework (CVE-2019-2183), and two patches for Moderate severity flaws in Qualcomm components (CVE-2019-2297 and CVE-2019-10566).

Additionally, Google included a series of functional patches in this month’s update for Pixel devices, to improve Wi-Fi connectivity, fix missing notifications in Pixel Stand mode, improve sensor calibration and system stability, and fix and improve various user interface issues.

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.