A new security update has been released for Android devices, patching a total of 60 vulnerabilities across two security patch levels, including 4 critical severity flaws. The March Android Security Bulletin lists each vulnerability, it’s type, and the severity, however detailed information about each flaw has not yet been released to allow users to apply the security updates before attackers get the opportunity to abuse the disclosed information to reverse engineer an exploit.  

Security patch 2023-03-01 contains Framework, System, and Google Play system updates. Two critical severity vulnerabilities found in the system are patched through this update. CVE-2023-20951 and CVE-2023-20954 are both remote code execution (RCE) vulnerabilities that affect Android versions 11, 12, 12L and 13. An exploit of “the most severe vulnerability” included in this section, and the update as a whole, requires no additional execution privileges and no user interaction. However, Android do not specify which of these critical RCE flaws they are referring to in this disclosure.  

 Security patch 2023-03-05 contains Kernel and third-party components updates, including Qualcomm closed-source components, where the two critical severity flaws patched in this update are found. CVE-2022-33213 is a stack-based buffer overflow vulnerability located in the data modem. The memory corruption occurs when the modem attempts to process a PPP packet, causing a buffer overflow. Despite Android and Qualcomm rating this as a critical flaw, it only has a CVSS base score of 7.5, giving it a CVSS rating of high. CVE-2022-33256 however has a CVSS base score of 9.8, therefore being rated as critical by CVSS. This memory corruption vulnerability occurs in the multi-mode call processor, where improper validation of array index can allow for exploitation. 

All Android users should apply these patches to ensure their devices are fully up to date as soon as they are made available for their device.