Google on Monday announced the release of patches for 51 vulnerabilities as part of the October 2023 security updates for Android, including fixes for two zero-day flaws exploited in malicious attacks.
The first of the exploited issues is CVE-2023-4863 (CVSS score of 8.8), a heap buffer overflow in the Libwebp library that leads to an out-of-bounds memory write and remote code execution (RCE).
In the
Android security bulletin for October 2023, Google explains that the vulnerability impacts the System component and assesses it with a ‘critical’ severity rating.
While the tech giant does not provide specific information on the observed in-the-wild exploitation,
the issue was identified and reported by Apple and the Citizen Lab group at The University of Torontoʼs Munk School, which often details attacks linked to commercial spyware vendors. The flaw had been exploited to deliver spyware to iPhones.
source.android.com
