Google has updated its May 2021 Android security bulletin to alert users that four vulnerabilities appear to have been exploited in attacks.
Rolling out to users since early May, the latest Android security update patches over 40 flaws, including four with a severity rating of critical.
This week, Google Project Zero researcher Maddie Stone pointed out on Twitter that the security bulletin has been updated with a note on some bugs being exploited in the wild.
A total of four security issues, rated high and medium severity, “may be under limited, targeted exploitation,” Google notes in the updated bulletin.
Two of the flaws impact Qualcomm components and are tracked as CVE-2021-1905 (high severity) and CVE-2021-1906 (medium risk). Both were identified in the graphics component and patches were rolled out by the vendor in May 2021.
A use-after-free issue, CVE-2021-1905 was reported to Qualcomm in November 2020, and exists because of “improper handling of memory mapping of multiple processes simultaneously.”
CVE-2021-1906 was described as an “improper handling of address deregistration on failure,” which could lead to new GPU address allocation failure. The bug was reported to the vendor in December 2020.
Both of the remaining exploited flaws affect ARM components (the Mali GPU kernel driver) and were disclosed by ARM in March 2021. Tracked as CVE-2021-28663 and CVE-2021-28664, the bugs could lead to improper operations on GPU memory and elevation of CPU RO pages to writable, respectively.
A non-privileged user able to exploit these flaws could gain root permissions, access information, corrupt memory, or modify the memory of other processes.
Users are advised to apply the latest Android patches as soon as possible, to ensure they are protected from any exploitation attempts.