In the latest December Android Security Bulletin, Google revealed that it had discovered a “critical security vulnerability” in the Android operating systemwhich leaves the security of millions of mobile users in doubt.
The identification of this vulnerability, with code CVE-2023-40088 in the National Vulnerability Database, highlights a critical issue affecting the security of the Android operating system.
The vulnerability manifests during the execution of a specific callback_thread_event, leading to possible memory corruption with a use-after-free vulnerability. In layman’s terms, this means that Android devices could gain unauthorized access to critical areas of code, allowing a cybercriminal to execute code remotely, without requiring any interactions.
Although Google has provided a solution, it seems that the onus is on device manufacturers to implement the necessary updates and protect their users.
Google already has a solution, but the patch will arrive depending on the brand and model
It is important to understand that, although this vulnerability can be exploited remotely, a potential attacker must be more or less close to the target device to successfully carry out the intrusion. Wireless connections, such as WiFi, Bluetooth or NFC, as mentioned, are potential ways to exploit this vulnerability..
Taking all this into account, Google, as mentioned before, has provided a solution for the affected versions of Android, ranging from Android 11 to the latest, Android 14, through the Android Open Source Project (AOSP).
However, the patch deployment process is not instantaneous, as each Android device manufacturer must submit their own update. The Pixels could be the first to receive the patch, but these times may vary depending on the brand and model.
“Exploitation of many issues on Android becomes more difficult due to improvements in newer versions of the Android platform. We encourage all users to update to the latest version of Android whenever possible,” they explain in the bulletin.
