Android released a new list of security vulnerabilities for Android 11, 12 and 13 in November. In addition to one critical gap, there are also another 14 highly dangerous gaps. The security bulletin warns of additional vulnerabilities, depending on whether Arm, MediaTek or Qualcomm components are installed in the mobile device.
Google's security bulletin for November 2023 is worryingly long. However, the security vulnerabilities listed there do not apply to every Android device, even if it uses Android 11, 12 or 13. But even among the generally valid vulnerabilities there are not only one critical gap but also 14 highly dangerous gaps.
According to Google, the critical vulnerability CVE-2023-40113 is particularly threatening because it affects the system. An attacker should not need any additional execution rights for his attack and should therefore be able to access data that is actually secured. The other 14 highly dangerous gaps could allow an expansion of rights or the disclosure of information in the framework.
Additional vulnerabilities due to Arm, MediaTek or Qualcomm components
The security bulletin for November 2023 lists further vulnerabilities if Arm, MediaTek or Qualcomm components are installed in an Android device. Patch level 2023-11-05 applies to them, which is usually intercepted via the device manufacturers' security patches. At Arm this is a highly dangerous gap, at MediaTek it is six.
There are 15 vulnerabilities at Qualcomm, with 4 considered critical in the area of closed source components: CVE-2023-21671, CVE-2023-22388, CVE-2023-28574, CVE-2023-33045. Successful exploitation of critical vulnerabilities could enable privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs, view, change, delete data, or even create a new account with full rights.
More at Android.com