Google this week announced the December 2022 Android updates with patches for over 75 vulnerabilities, including multiple critical remote code execution (RCE) flaws.
The most severe of the RCE bugs is CVE-2022-20411, an issue in Android’s System component that could be exploited over Bluetooth.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” Google explains in its advisory.
Two other critical-severity RCE flaws (CVE-2022-20472 and CVE-2022-20473) were resolved in the Framework component. Google also patched a critical information disclosure (CVE-2022-20498) in the System component.
All four issues were resolved as part of the 2022-12-01 security patch level, which addresses a total of 41 vulnerabilities in Android Runtime (1), Framework (20), Media framework (1), and System (19).
Most of the addressed security defects are high-severity flaws, with escalation of privilege being the most common type. Information disclosure and denial-of-service (DoS) issues were also resolved.
An additional 35 high-severity vulnerabilities were resolved as part of the 2022-12-05 security patch level, in Kernel, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.
Devices using a security patch level of 2022-12-05 or newer include patches for all the vulnerabilities above, as well as for those resolved with previous Android security updates.
A total of 151 Pixel-specific vulnerabilities were resolved this month, Google announced. Most of the bugs are medium-severity escalation of privilege issues, with numerous information disclosure bugs addressed as well.
Pixel devices running a security patch level of 2022-12-05 include patches for all vulnerabilities described in the December 2022 Android security bulletin, as well as for the 151 bugs mentioned above.
Google’s December 2022 Android Automotive OS (AAOS) update bulletin describes eight AAOS vulnerabilities that have been resolved alongside the flaws addressed with a security patch level of 2022-12-05 from the December 2022 Android security bulletin.