Google patched 28 vulnerabilities during the April Android patch cycle, including one critical one. This vulnerability makes phones equipped with Qualcomm chipsets vulnerable to remote attacks. Another high priority vulnerability zIT in Android native code and allowed malicious apps to escalate their permissions without user interaction.
The latest vulnerability could allow these applications to access data or perform actions outside their normal scope. Google rates the impact of this leak as “high.” Security.nl. Both vulnerabilities are also listed in Google's vulnerabilities April security bulletin.
Caused buffer overflow
The serious leak in Android devices with Qualcomm chipset is related to a vulnerability in the data modem. This allows an attacker to cause a buffer overflow during DTLS handshake verification. This makes it possible to execute code, so-called code injection. The seriousness of this leak is that the code CVE-2023-28582 It received a rating of 9.8 out of 10 on the CVSS vulnerability scale. This vulnerability has been integrated into the individual's vulnerability Security bulletin From Qualcomm.
Not only does Google fix bugs in the code of its Android operating system, it also fixes components from chip manufacturers like Qualcomm and MediaTek. The Widevine digital rights management system, developed by Google, is also receiving updates. The company uses specific dates. Devices receiving the April updates will have “2024-04-01” or “2024-04-05” patch levels.
Manufacturers must add all patches from the April Android release to their own updates and make them available to their users. These updates are available for Android 12, 12L, 13, and 14.
Similar to the leak from January
In the January Android security update, Google patched a similar vulnerability that occurred in phones equipped with the Qualcomm chip. This leak was also in the data modem, and as with the most recent leak, there was concern that phones could be vulnerable to a remote attack via code injection in the event of a buffer overflow.
Google notes that manufacturers were notified of the vulnerabilities at least a month in advance, but as always, not all Android devices are guaranteed to receive updates in a timely manner. This is due to discontinuation of support by manufacturers or delayed rollout of updates.
Read also: Second Preview Android 15 brings satellite calling features
