Google’s Android operating system updates for May 2021 address a total of 42 vulnerabilities, four of which are deemed critical severity.
Three critical vulnerabilities in the System component were found as part of the 2021-05-01 security patch level, and all three could be exploited remotely to execute arbitrary code on a compromised computer.
“The most serious of these issues is a critical security vulnerability in the System component that could enable a remote attacker to execute arbitrary code in the context of a privileged process using a specially designed file,” Google explains.
Two of the bugs, CVE-2021-0473 and CVE-2021-0474, affect Android 8.1, 9, 10, and 11, while the third, CVE-2021-0475, only affects Android 10 and 11.
In addition to these crucial flaws, Android System has been patched for five other high-severity flaws. Three of these could lead to privilege advancement, while the other two could be used to leak information.
Three high-severity elevation of privilege vulnerabilities in the framework component and two high-severity issues (one elevation of privilege and one information disclosure) in the media framework component are also fixed in the 2021-05-01 security patch standard.
The 2021-05-05 security patch stage, the second part of this month’s security update, addresses 29 vulnerabilities in Android components such as the framework, kernel, AMLogic, ARM, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source.
The most serious of these flaws is CVE-2021-0467, a critical weakness in AMLogic BootROM that could enable an attacker to execute arbitrary code even before a data signature is performed.
Twenty-seven of the remaining 28 vulnerabilities fixed by the 2021-05-05 security patch level have been assigned a high severity rating, while the last one is rated medium.
Google also released details on the security fixes that fix vulnerabilities unique to Pixel devices on May 3, disclosing a total of seven moderate-severity bugs.
Three of these have an impact on kernel components, one has an impact on Qualcomm components, and the remaining three have an impact on Qualcomm closed-source components.
Many of these bugs, as well as those fixed in this month’s Android updates, are patched on Pixel devices running a security patch level of 2021-05-05 or later.