The April 2021 Android security bulletin published this week by Google describes more than 30 vulnerabilities in the mobile operating system, including a remote code execution flaw in the System component.
Tracked as CVE-2021-0430 and affecting Android 10 and 11, the code execution vulnerability is deemed critical severity. The bug was patched as part of the 2021-04-01 security patch level.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains in its advisory.
Five other vulnerabilities were addressed in the System component: three elevation of privilege and two information disclosure issues. All of these feature a severity rating of high.
The 2021-04-01 security patch level also brings patches for 12 other high-severity vulnerabilities: nine in the Framework component (seven elevation of privilege and two information disclosure bugs), and three in the Media framework (one elevation of privilege and two information disclosure issues).
The second part of this month’s set of patches, which arrives on devices as the 2021-04-05 security patch level, includes fixes for 18 vulnerabilities, in System (two high-severity bugs), Kernel components (two high-severity flaws), MediaTek components (one high-severity issue), Qualcomm components (one high-severity bug), and Qualcomm closed-source components (one critical and 11 high-severity vulnerabilities).
This week, Google also announced new security patches for Pixel devices, which include fixes for three vulnerabilities in Framework (two elevation of privilege flaws) and Qualcomm components. All three feature severity ratings of moderate.
Devices running a security patch level of 2021-04-05 or later have fixes for all of the issues associated with this security patch level, as well as with previous patch levels. On Pixel devices, a security patch level of 2021-04-05 addresses all vulnerabilities in the April 2021 and previous Pixel security bulletins as well.