Google on Wednesday current its May perhaps 2021 Android Security Bulletin to disclose that 4 of the security vulnerabilities that have been patched before this thirty day period by Arm and Qualcomm might have been exploited in the wild as zero-days.
“There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 could be below restricted, focused exploitation,” the lookup giant stated in an current alert.
The four flaws impression Qualcomm Graphics and Arm Mali GPU Driver modules —
- CVE-2021-1905 (CVSS score: 8.4) – A use-just after-no cost flaw in Qualcomm’s graphics part owing to inappropriate managing of memory mapping of many processes concurrently.
- CVE-2021-1906 (CVSS rating: 6.2) – A flaw relating to insufficient dealing with of tackle deregistration that could guide to new GPU tackle allocation failure.
- CVE-2021-28663 (CVSS score: NA) – A vulnerability in Arm Mali GPU kernel that could allow a non-privileged consumer to make inappropriate operations on GPU memory, major to a use-immediately after-totally free state of affairs that could be exploited to achieve root privilege or disclose information and facts.
- CVE-2021-28664 (CVSS score: NA) – An unprivileged user can accomplish read through/produce access to read through-only memory, enabling privilege escalation or a denial-of-provider (DoS) issue due to memory corruption.
Productive exploitation of the weaknesses could grant an adversary carte blanche entry to the qualified machine and get more than regulate. It is really, nonetheless, not very clear how the attacks on their own have been carried out, the victims that may perhaps have been targeted, or the menace actors that might be abusing them.
The improvement marks one particular of the uncommon situations where zero-day bugs in Android have been noticed in serious-entire world cyber offensives.
Previously this March, Google disclosed that a vulnerability influencing Android devices that use Qualcomm chipsets (CVE-2020-11261) was staying weaponized by adversaries to start targeted attacks. The other flaw is CVE-2019-2215, a vulnerability in Binder — Android’s inter-process conversation mechanism — that’s claimed to have been allegedly exploited by the NSO Group as properly as SideWinder risk actor to compromise a victim’s gadget and collect consumer details.
Found this short article fascinating? Adhere to THN on Fb, Twitter and LinkedIn to browse extra special articles we write-up.
Some elements of this report are sourced from: