The Android Security Update for June has been released containing patches for 56 vulnerabilities, 5 of which have been assigned a critical severity rating, and one which is known to be actively exploited. The critical severity flaws patched this month include three remote code execution flaws, CVE-2023-21108 and CVE-2023-21130 are found in the Android System, and CVE-2023-21127 affecting the remote procedure call in the Android Framework. The other two critical severity flaws are memory corruption vulnerabilities, affecting the Qualcomm closed-source components, tracked as CVE-2022-33257, and CVE-2022-40529.  

The latest security patch level, 2023-06-05, patches CVE-2022-22706, a high severity vulnerability with a CVSS base score of 7.8, which is believed to be actively exploited since December last year. This flaw occurs within the Arm Mail GPU Kernel Driver and can be exploited by attackers to obtain write access to read-only memory pages. This flaw is believed to be exploited in a spyware campaign targeting Samsung devices. The developer, Arm, patched this flaw in January, and Samsung included it in their May updates, however this fix has only been included in the general Android update this month. The active exploitation of this flaw has also been publicised by CISA (The Cybersecurity and Infrastructure Security Agency) through an advisory they released in March. CISA also added this flaw to their Known Exploited Vulnerabilities Catalog at this time. 

For Framework and System updates, Android patch level 2023-06-01 must be applied. Patch level 2023-06-05 includes these updates as well as patches for third party components including Arm and Qualcomm. In order to be protected from these vulnerabilities Android devices should have the latest updates applied as soon as possible when these versions are made available by the vendor. Users should be aware that devices running Android 10 or older versions are no longer supported, and updates will not be made available by the vendor.