Google shares on its Android Security Bulletin that there are two critical vulnerabilities in Android 11, 12, 12L and 13. If you have an Android device with current support, you should trigger the system update manually to check whether the March security update is already available for your device.
In its Android Security Bulletin March 2023, Google informed about the critical vulnerabilities CVE-2023-20951 and CVE-2023-20954. Both serious vulnerabilities can lead to remote code execution without requiring additional execution permissions. No user interaction is required for use. If you have a device with current support, you should therefore check the system update to see whether it already provides a security update.
Google has informed the manufacturers
According to the security bulletin, the manufacturers were informed in good time that they can adjust their security patches. According to Google, the gap affects all devices, including those that have not been rooted by the user. Also recommended is the update from Google Play. A tap on the function is enough for the device to check the version.
It sometimes takes quite a long time for the security update to be rolled out by the manufacturers. Normally, an available update is automatically reported directly on the device. However, some specialists recommend checking for an available update manually from time to time.
The framework is also affected
The so-called framework also has some security gaps. However, all of these vulnerabilities are only classified as high and not as critical and, with one exception, also affect Android versions 11, 12, and 13. An upcoming security update for March will also solve these problems: CVE-2023-20906, CVE-2023-20911, CVE-2023-20917, CVE-2023-20947, CVE-2023-20963, CVE-2023-20956, CVE-2023-20958, CVE-2023-20964.
The most severe vulnerability in these CVEs could lead to local privilege escalation after an application is upgraded to a higher target SDK without requiring additional execute privileges.
More at Android.com