Google announced on Monday that it discovered a critical security vulnerability in the Android operating system that potentially allows a malicious actor to execute code on a device "without the need for additional privileges to execute it." The issue has been assigned the identifier CVE-2023-40088. The company will soon release a security update to address this vulnerability, Pcmag.com reports.
Google is not disclosing details about the CVE-2023-40088 vulnerability. It is known to belong to the System category and appears to be exploitable for remote loading and installation of malicious software on a device through Wi-Fi, Bluetooth, or NFC without the device owner's knowledge.
While the vulnerability can be exploited remotely, it is worth noting that the malicious actor needs to be relatively close to the potential victim's device.
Google has not disclosed how the vulnerability was discovered or whether there have been instances of exploitation by malicious actors. In the coming days, the company will release fixes to address the CVE-2023-40088 vulnerability for Android versions 11, 12, 12L, 13, and the latest version Android 14 through the Android Open Source project. Afterward, device manufacturers can distribute the patch through their update channels. The update will be sent to device manufacturers in the next few days. Subsequently, each OEM (Original Equipment Manufacturer) of Android devices will need to send the fix to their users. Google Pixel phones may be among the first to receive the update, but timelines may vary for other brands.
In the release notes for the December security bulletin, Google also reported the discovery of several other critical vulnerabilities in the Android mobile operating system, leading to privilege escalation and information disclosure, affecting Android Framework and System components. Given the severity of these issues, owners of Android-based devices are advised to carefully monitor December security updates and install them as soon as they become available.