Google unveiled its November Android security patches for its Android platform.
The vulnerabilities include remote code execution bugs, elevation of privilege flaws, and information disclosure vulnerabilities, along with a denial of service.
Components suffering from the issues include Framework, Media framework, System, and Qualcomm.
“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google said in a post.
Google also said the Libxaac library has been marked as experimental and is no longer used in production of Android builds. The reason for this is the discovery of multiple vulnerabilities in the library. Google listed 18 CVEs related to the library.
Google cut the fixes into two parts, with the 2018-11-01 security patch level, addressing 17 flaws, including four rated critical, all of which impact Media framework.
This security patch level fixes seven elevation of privilege bugs (two rated critical, four high severity, and one medium), three remote code execution bugs (two critical and one high severity), six information disclosure issues (all rated high severity) and one denial of service (medium).
The 2018-11-05 security patch level, fixes 19 issues, three of which ended p rated critical.
Two of the bugs affect the Framework component, while the remaining 17 were in Qualcomm components, including 14 issues in Qualcomm closed-source components (3 critical and 11 high risk).
According to Google, it has no reports of active customer exploitation or abuse of these issues. The company also notes that exploitation of vulnerabilities is more difficult on newer versions of Android and encourages users to update as soon as possible.