SB2022010536 - Multiple vulnerabilities in Google Pixel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022010536

SB2022010536 - Multiple vulnerabilities in Google Pixel

Published: January 5, 2022 Updated: April 4, 2023

Security Bulletin ID SB2022010536
Severity
Low
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-39678)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Gboard subcomponent in Pixel. A local application can execute arbitrary code.


2) Improper input validation (CVE-ID: CVE-2021-39679)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Display/graphics subcomponent in Pixel. A local application can execute arbitrary code.


3) Improper input validation (CVE-ID: CVE-2021-39682)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Display/graphics subcomponent in Pixel. A local application can execute arbitrary code.


4) Improper input validation (CVE-ID: CVE-2021-39683)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Titan M2 subcomponent in Pixel. A local application can execute arbitrary code.


5) Improper input validation (CVE-ID: CVE-2021-39684)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Bootloader subcomponent in Pixel. A local application can execute arbitrary code.


6) Race condition (CVE-ID: CVE-2021-40490)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.


7) Information exposure (CVE-ID: CVE-2021-39680)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Titan M2 subcomponent in Pixel. A local application can gain access to sensitive information.


8) Improper input validation (CVE-ID: CVE-2021-39681)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Telephony subcomponent in Pixel. A local application can execute arbitrary code.


9) Use-after-free (CVE-ID: CVE-2021-30313)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in Wired Connectivity caused by a race condition while creating and deleting folders. A malicious application can trigger the use-after-free error and execute arbitrary code with elevated privileges.


10) Improper access control (CVE-ID: CVE-2021-30314)

The vulnerability allows a malicious application to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Telephony component. A malicious third party application can access the Telephony service and obtain sensitive information.


Remediation

Install update from vendor's website.

References