Google has been rolling out monthly security patches for Android to fix a number of flaws, including a zero-day bug that it says may have been exploited in the wild.
Tracked as CVE-2023-35674the high severity vulnerability is described as a case of privilege escalation impacting the Android framework.
“There are indications that CVE-2023-35674 may be subject to limited, targeted exploitation,” the company said. said in its September 2023 Android Security Bulletin without going into additional details.
The update also fixes three other privilege escalation flaws in Framework, with the search giant noting that the most serious of these issues “could lead to local escalation of privilege with no additional execution privileges needed” without any interaction of the user.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
Google said it additionally fixed a critical security vulnerability in the system component that could lead to remote code execution without requiring interaction from the victim.
“The severity rating is based on the effect that exploitation of the vulnerability could have on an affected device, assuming that platform and service mitigations are disabled for development purposes or if they are successfully circumvented,” he adds.
In total, Google fixed 14 flaws in the System module and two flaws in the MediaProvider component, the latter delivered as a Google Play system update.