Google fixed a critical zero-click RCE vulnerability (CVE-2023-40088) with the release of the December 2023 Android security updates.
Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088.
The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered. An attacker can exploit the vulnerability to execute arbitrary code on the vulnerable devices without user interaction
“The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the security advisory.
The IT giant also addressed the following critical vulnerabilities in the Framework component
CVE | References | Type | Severity | Updated AOSP versions |
---|---|---|---|---|
CVE-2023-40077 | A-298057702 | EoP | Critical | 11, 12, 12L, 13, 14 |
CVE-2023-40076 | A-303835719 | ID | Critical | 14 |
in the System component:
CVE | References | Type | Severity | Updated AOSP versions |
---|---|---|---|---|
CVE-2023-45866 | A-294854926 | EoP | Critical | 11, 12, 12L, 13, 14 |
and the following one in the Qualcomm closed-source components
References | Severity | Subcomponent | |
---|---|---|---|
CVE-2022-40507 | A-261468680 * | Critical | Closed-source component |
Android users should promptly address the vulnerabilities once the patch becomes publicly available.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android)