The most dire vulnerability targets the Android framework and could allow an adversary to execute arbitrary code on targeted devices.
Google patched six critical remote code execution flaws in its Android operating system as part of its October Android Security Bulletin. Four of those remote code execution flaws are tied to Android’s Media framework and impact a wide range of Android devices including Google’s Pixel and Nexus phones along with handsets made by Samsung, Huawei and LG.
“The most severe of these issues is a critical security vulnerability in Framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin released Monday. Google’s Framework simply refers to the entire component stack that make up the Android OS, which includes native libraries.
In all, Google reported 26 vulnerabilities with eight rated critical, 17 rated high and one rated moderate. Over-the-air updates for Google’s Pixel and Nexus phones are available now, with patches expected from other vendors in the days or weeks ahead.