Google fixed critical zero-click RCE in Android

Google fixed a critical zero-click RCE vulnerability (CVE-2023-40088) with the release of the December 2023 Android security updates.

Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088.

The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered. An attacker can exploit the vulnerability to execute arbitrary code on the vulnerable devices without user interaction

“The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the security advisory.

The IT giant also addressed the following critical vulnerabilities in the Framework component

CVE References Type Severity Updated AOSP versions
CVE-2023-40077 A-298057702 EoP Critical 11, 12, 12L, 13, 14
CVE-2023-40076 A-303835719 ID Critical 14

in the System component:

CVE References Type Severity Updated AOSP versions
CVE-2023-45866 A-294854926 EoP Critical 11, 12, 12L, 13, 14

and the following one in the Qualcomm closed-source components

References Severity Subcomponent
CVE-2022-40507 A-261468680 * Critical Closed-source component

Android users should promptly address the vulnerabilities once the patch becomes publicly available.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)