Android Points Patches for 4 New Zero-Day Bugs Exploited within the Wild

Google on Wednesday up to date its Could 2021 Android Safety Bulletin to reveal that 4 of the safety vulnerabilities that had been patched earlier this month by Arm and Qualcomm might have been exploited within the wild as zero-days.

“There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 could also be underneath restricted, focused exploitation,” the search large said in an up to date alert.

password auditor

The 4 flaws affect Qualcomm Graphics and Arm Mali GPU Driver modules —

  • CVE-2021-1905 (CVSS rating: 8.4) – A use-after-free flaw in Qualcomm’s graphics element resulting from improper dealing with of reminiscence mapping of a number of processes concurrently.
  • CVE-2021-1906 (CVSS rating: 6.2) – A flaw regarding insufficient dealing with of tackle deregistration that might result in new GPU tackle allocation failure.
  • CVE-2021-28663 (CVSS rating: NA) – A vulnerability in Arm Mali GPU kernel that might allow a non-privileged consumer to make improper operations on GPU reminiscence, resulting in a use-after-free state of affairs that might be exploited to achieve root privilege or disclose data.
  • CVE-2021-28664 (CVSS rating: NA) – An unprivileged consumer can obtain learn/write entry to read-only reminiscence, enabling privilege escalation or a denial-of-service (DoS) situation resulting from reminiscence corruption.

Profitable exploitation of the weaknesses may grant an adversary carte blanche entry to the focused gadget and take over management. It is, nonetheless, not clear how the assaults themselves had been carried out, the victims which will have been focused, or the menace actors which may be abusing them.

The event marks one of many uncommon cases the place zero-day bugs in Android have been noticed in real-world cyber offensives.

Earlier this March, Google revealed {that a} vulnerability affecting Android units that use Qualcomm chipsets (CVE-2020-11261) was being weaponized by adversaries to launch focused assaults. The opposite flaw is CVE-2019-2215, a vulnerability in Binder — Android’s inter-process communication mechanism — that is stated to have been allegedly exploited by the NSO Group in addition to SideWinder threat actor to compromise a sufferer’s gadget and gather consumer data.

Source link