Search This Blog

Google: Two Major Pixel Vulnerabilities Patched

Qualcomm chips are the most extensively used in Android smartphones.

 

Google has published updates for Android 10, 11, 12, and 12L which include Pixel security patches. The Android Security Bulletin for May offers information about security flaws could affect Android devices. 
 
The Pixel Update Bulletin offers information about security flaws and functional enhancements for concerned Pixel devices. Google Pixel phones are "pure Android" devices. The two bulletins identify significant vulnerabilities as follows : 

  • CVE-2022-20120—Bootloader [Critical] The bootloader has a remote code execution (RCE) flaw. The bootloader on Android is a software program that loads the operating system every time users turn on the phone. It can only load software which has been signed by Google by default. If users unlock the bootloader, though, it will run whatever software you specify. The precise problem hasn't been revealed yet, but based on the scale of access required to exploit it, it may be very serious.
  • CVE-2022-20117— Titan-M[Critical] Titan M has an information disclosure (ID) flaw. Titan M is a security management chip designed specifically for Pixel phones to protect the most sensitive data and os version on the device. Titan M aids the bootloader in ensuring users running the correct Android version. . However, being able to steal data from the portion which is supposed to protect the most sensitive information does not look well. 
  • CVE-2021-35090: Qualcomm[Moderate] Qualcomm chips are the most extensively used in Android smartphones. 9.3 out of 10 for CVSS. Qualcomm has recognized this race condition in Kernel as a Time-of-check Time-of-use (TOC TOU). A potential hypervisor memory corruption owing to a TOC TOU race scenario when changing address mappings was also mentioned. A TOC TOU occurs whenever a resource is tested for a specific value, such as whether or not a file exists, and then the value alters before the asset is utilized, invalidating the check's results. When multiple threads have access to shared data and attempt to update it at the same time, a race condition occurs.
  • CVE-2022-20119 Display/Graphics[High] 
  • CVE-2022-20121 USCCDMService[High] 

The most serious of these issues, according to Google, is a highly secure vulnerability in the Framework component which might lead to local elevation of privilege (EoP) with user execution rights required, although the company does not specify which of the four candidates it is. 

All problems in these bulletins are addressed in security patch versions 2022-05-05 or later for Google and other Android devices. Check and update one Android version to discover how to check a device's security patch level. Experts advise all Android users to update to the most recent version. 

This week, the Pixel 3a and Pixel 3a XL series will acquire its final security updates. When it comes to support, they then reach the End-of-Life (EOL)
Share it:

Android Security

CVE vulnerability

EOL

Google Pixel Phones

Kernel

Qualcomm

Vulnerability and Exploits