Google has released the December 2022 security update for Android, fixing four critical-severity vulnerabilities, including a remote code execution flaw exploitable via Bluetooth.
This month’s update addresses 45 vulnerabilities in core Android components with patch level 2022-12-01, and another 36 vulnerabilities impacting third-party components addressed in patch level 2022-12-05.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” mentions the
security bulletin.
The four critical-severity vulnerabilities addressed in this month’s update are:
- CVE-2022-20472 – Remote code execution flaw in Android Framework, impacting Android versions 10 to 13.
- CVE-2022-20473 – Remote code execution flaw in Android Framework, impacting Android versions 10 to 13.
- CVE-2022-20411 – Remote code execution flaw in Android System, impacting Android versions 10 to 13.
- CVE-2022-20498 – Information disclosure flaw in Android System, impacting Android versions 10 to 13.
The rest of the fixed vulnerabilities involve elevation of privileges (EoP), remote code execution, information disclosure, and denial of service problems.
The high-severity EoP flaws are typically exploited by malware sneaking into a device via a low-privilege pathway, such as installing malicious software masquerading as an innocuous app.
That said, applying the available update as soon as it becomes available for your device is crucial, even if none of the flaws are currently reported as actively exploited.
