Connect with us

Hi, what are you looking for?


Mobile & Wireless

Unpatched Privilege Escalation Vulnerability Impacts Android

The Android operating system is affected by a zero-day privilege escalation bug residing in the V4L2 driver, Trend Micro’s Zero Day Initiative (ZDI) reveals.

The Android operating system is affected by a zero-day privilege escalation bug residing in the V4L2 driver, Trend Micro’s Zero Day Initiative (ZDI) reveals.

V4L2 is a two-layer driver system for Linux that uses methods very similar to the regular Linux char driver methods, but with parameters specific for V4L2 drivers only. All V4L2 drivers are modules.

The discovered vulnerability resides in the manner in which the V4L2 driver on Android handles data.

“The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel,” ZDI says.

An attacker with access to a vulnerable device can exploit this security hole to escalate privileges.

If local access is not available, the attacker needs to first obtain the ability to execute low-privileged code on the target system, which would then allow them to exploit the vulnerability.

Although Google released a new set of patches for the Android platform only several days ago, this specific vulnerability remains unpatched.

Advertisement. Scroll to continue reading.

Despite that, ZDI has decided to publish information on the security flaw, given that it first informed Google on its existence on March 13, 2019. The search giant informed ZDI that it plans on releasing a fix, but hasn’t provided details on when that might happen.

The vulnerability, ZDI says, has a CVSS score of 7.8. Its severity is likely diminished because local access is required for successful exploitation.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” ZDI notes.

Related: Android’s September 2019 Patches Fix Nearly 50 Vulnerabilities

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...