Android: fixed 37 vulnerabilities with the november 2023 update

Google has released security updates for Android that fix 37 vulnerabilities, including a critical information disclosure vulnerability. The update, delivered in a patch called 2023-11-01, focuses on 15 flaws in Android's Framework and System components, specifically addressing a critical vulnerability in the System component that could allow information disclosure without additional privileges.

Critical vulnerability details

The main vulnerability, identified as CVE-2023-40113, affects Android versions 11, 12, 12L and 13. It has been fixed along with six other issues in the System component classified as 'high severity'. An additional 14 vulnerabilities addressed by the patch are also considered high severity and could lead to privilege escalation, information disclosure, and denial of service.

Additional security patches for Android components

The second set of November 2023 updates, labeled security patch level 2023-11-05, addresses 22 flaws in components supplied by Arm, MediaTek, and Qualcomm. Devices running the 2023-10-05 security patch level already include fixes for all vulnerabilities mentioned in previous security bulletins, including the November 2023 update.

Security measures specific to Pixel devices and other platforms

This round of updates also includes fixes to eight vulnerabilities specific to Google's Pixel devices, with issues affecting the kernel, WLAN components, and Qualcomm components. For Pixel devices, a security patch level dated 2023-11-01 or later is sufficient to mitigate these risks. Google has not released specific updates for Wear OS and Automotive OS this month, as those platforms are protected by the patches already mentioned. At the moment, there are no reports that these vulnerabilities have been exploited in malicious attacks.