Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks.

Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation. Use-after-free issues are dangerous as it could enable a threat actor to access or referencing memory after it has been freed, leading to a “write-what-where” condition that results in the execution of arbitrary code to gain control over a victim’s system.

“There are indications that CVE-2021-1048 may be under limited, targeted exploitation,” the company noted in its November advisory without revealing technical details of the vulnerability, the nature of the intrusions, and the identities of the attackers that may have abused the flaw.

Also remediated in the security patch are two critical remote code execution (RCE) vulnerabilities — CVE-2021-0918 and CVE-2021-0930 — in the System component that could allow remote adversaries to execute malicious code within the context of a privileged process by sending a specially-crafted transmission to targeted devices.

Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required.

With the latest round of updates, Google has addressed a total of six zero-days in Android since the start of the year —

  • CVE-2020-11261 (CVSS score: 8.4) – Improper input validation in Qualcomm Graphics component
  • CVE-2021-1905 (CVSS score: 8.4) – Use-after-free in Qualcomm Graphics component
  • CVE-2021-1906 (CVSS score: 6.2) – Detection of error condition without action in Qualcomm Graphics component
  • CVE-2021-28663 (CVSS score: 8.8) – Mali GPU Kernel Driver allows improper operations on GPU memory
  • CVE-2021-28664 (CVSS score: 8.8) – Mali GPU Kernel Driver elevates CPU RO pages to writable