Google released its August Android security update, which fixes more than 30 vulnerabilities affecting the core, system, framework, and chip components, including a major vulnerability that could be attacked via Bluetooth.
Google notifies Android partners at least a month before these vulnerabilities are published, and fixes for the original code will be released to the Android Open Source Project (AOSP) repository within 48 hours of publication.
The most serious of the vulnerabilities fixed this month, CVE-2022-20345, which Google did not provide details about, other than that it allows an attacker to remotely execute code via Bluetooth without obtaining execution permission, and is the only vulnerability listed as a significant risk this month, affecting AOSP 12 and 12L.
In addition to the RCE vulnerability, the Android operating system also had six high-risk vulnerabilities fixed, including five Escalation of Privileges (EOP) and one denial of Service attack (DoS) vulnerability.
In terms of other vulnerabilities, Google also fixed 9 high-risk vulnerabilities in the framework, including 5 EoP vulnerabilities and 4 information leakage vulnerabilities, as well as 2 high-risk information leakage vulnerabilities in the media framework.
These fixes are only available for Android 10 and up.
At the same time, Google issued another security notice to fix an EoP vulnerability (CVE-2022-1786) in the core file system, and released a fix provided by a third-party chip vendor. Affected components include Imagination Technologies Gpus, Qualcomm audio components, MediaTek Gpus, and Unisoc VSP.