Security News > 2021 > November > Google Warns of New Android 0-Day Vulnerability Under Active Targeted Attacks
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks.
Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.
"There are indications that CVE-2021-1048 may be under limited, targeted exploitation," the company noted in its November advisory without revealing technical details of the vulnerability, the nature of the intrusions, and the identities of the attackers that may have abused the flaw.
Also remediated in the security patch are two critical remote code execution vulnerabilities - CVE-2021-0918 and CVE-2021-0930 - in the System component that could allow remote adversaries to execute malicious code within the context of a privileged process by sending a specially-crafted transmission to targeted devices.
Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required.
CVE-2020-11261 - Improper input validation in Qualcomm Graphics component.
News URL
https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html
Related news
- Free VPN apps on Google Play turned Android phones into proxies (source)
- Attack Surface Management vs. Vulnerability Management (source)
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks (source)
- Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies (source)
- Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks (source)
- Google rolls out new Find My Device network to Android devices (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- New R Programming Vulnerability Exposes Projects to Supply Chain Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-15 | CVE-2021-1048 | Use After Free vulnerability in Google Android In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. | 7.2 |
| 2021-12-15 | CVE-2021-0930 | Out-of-bounds Write vulnerability in Google Android In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out of bounds write due to a missing bounds check. | 8.3 |
| 2021-12-15 | CVE-2021-0918 | Out-of-bounds Write vulnerability in Google Android 12.0 In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to a missing bounds check. | 8.3 |
| 2021-11-12 | CVE-2021-1975 | Out-of-bounds Write vulnerability in Qualcomm products Possible heap overflow due to improper length check of domain while parsing the DNS response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables | 10.0 |
| 2021-11-12 | CVE-2021-1924 | Information Exposure Through Discrepancy vulnerability in Qualcomm products Information disclosure through timing and power side-channels during mod exponentiation for RSA-CRT in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 2.1 |
| 2021-06-09 | CVE-2020-11261 | Improper Input Validation vulnerability in Qualcomm products Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.2 |