The new Android security update for this month has fixed a total of 46 vulnerabilities, three of which are thought to be actively exploited in what Android describe as “limited, targeted” attacks. Two security patch levels have been released, 2023-07-01, which addresses all issues within this security patch level for the system and framework as well as those reported in previous security updates, and 2023-07-05, which addresses both all issues within this patch level and all previous patch levels including the contents of 2023-07-01 and kernel and third-party components.   

The first actively exploited vulnerability, CVE-2023-26083, was originally determined to be a low severity flaw back in April when it was first published in the NIST National Vulnerability Database (NVD), with a CVSS base score of 3.3. Despite this, this flaw is thought to have been exploited since December 2022 as a part of an attack chain used to deliver spyware alongside previously patched high severity flaw CVE-2023-0266. CVE-2023-26083 is an Arm component memory leak vulnerability found in the Mali GPU kernel driver of Bifrost, Avalon, and Valhall. An exploit of this flaw allows an unprivileged attacker to conduct valid GPU processing operations, which can be used to expose sensitive kernel metadata.   

The second actively exploited vulnerability addressed in this Android update, CVE-2021-29256, is also found in the Arm Mali GPU kernel driver, specifically in versions of Bifrost, Valhalla, and Midgard. This high severity flaw can also be exploited by an unprivileged attacker in order to access freed memory, which can result in information disclosure and escalation to root privileges. The third actively exploited vulnerability, CVE-2023-2136, is a critical severity Google Chrome flaw with a CVSS base score of 9.6, first published in the NVD in April. This integer overflow vulnerability affects the Skia graphic engine used by Chromium OSS browsers. A remote attacker can exploit this flaw using a crafted HTML page to compromise the renderer process and perform a sandbox escape. 

 Despite these vulnerabilities being known and patched by suppliers for individual products they have not been addressed by an Android system update until now. Even with fixes existing for these flaws many users have not updated their devices and so are continuing to fall victim to targeted attacks where these vulnerabilities are exploited. Android advise users to update to the most recent version of the Android platform on all their devices to reduce the likelihood of being victims of exploitation.