An Android security bulletin has been released detailing the vulnerabilities patched in the May 2023 updates for patch levels 2023-05-01 and 2023-05-05. Included in this update is a fix for a high severity flaw first identified in January, found in the Linux Kernel of affected devices. This vulnerability is known to have been exploited as a zero-day flaw in attacks before these new patches became available to end users. Threat actors were able to install commercial spyware on vulnerable devices through this exploit. 

Tracked as CVE-2023-0266, this use-after-free vulnerability has been given a high severity rating, and a CVSS base score of 7.8. The flaw in the ALSA PCM (Advanced Linux Sound Architecture Pulse Code Modulation) sound system package in the Linux Kernel causes memory to continue to be referenced after it has been freed, which generally leads to a crash, the use of unexpected values, or code execution. In the case of this known exploit, attackers could take advantage of missing locks on SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 to elevate privileges and gain ring0 access from the system user. This attack does not require any user interaction, and the resulting system privileges allows the attackers to install a spyware suite capable of decrypting and exfiltrating data from chat and browser apps on the Android devices. 

The Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in their Known Exploited Vulnerabilities Catalog at the end of March due to the exploit of this flaw being involved in spyware campaigns. The specific devices targeted in these attack campaigns were Samsung Android phones, however all Android devices could be vulnerable if this flaw is unpatched. To secure all Android devices user should apply vendor updates so that they have at least security patch level 2023-05-05, which is the most recent Android version available at this time.