Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

Bootloader

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

Titan-M

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

Qualcomm

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Mitigation

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!