Google fixes "critical" Android 12 security flaw

Android Logo
(Image credit: Google)

Google has fixed a critical security flaw in Android 12 which could have allowed crooks access to the target endpoint without user interaction.

In its February 2022 Android Security Bulletin, Google says that the flaw, tracked as CVE-2021-39675, is a “critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed.”

Other than that, there’s not much detail in the blog itself, however The Register spotted a source-level change in Android’s wireless near-field communication (NFC) code, that forces the code to ensure a size parameter isn’t too large. The publication also suspects Google decided to keep the whole thing hush-hush as it’s still in the middle of rolling out the patches.

Additional flaws discovered

Unlike iOS, which is a fully centralized operating system where Apple controls the patches, most Android makers have their own sub-brand of the OS, meaning all of them have to prepare patches for their devices separately. Given that Google develops Android, Google-made phones ( such as the Pixel 6) will be among the first to receive this patch. 

Still, Google notifies its partners of newly discovered vulnerabilities a month before publicizing anything, so it’s safe to assume that other vendors will be close behind, at least for their flagship models. 

The announcement has also listed five other high-severity flaws found in the System component, that were patched. That includes privilege elevation bugs in Android 11 and 12, as well as denial-of-service flaws in Android 10 and 11. 

Other than that, Google has also identified five high-severity flaws in the Android Framework component, four high-severity bugs in the Media Framework, and two MediaProvider flaws fixed through Google Play updates. 

To check for updates manually, Android users can navigate to Settings > Software Update, which is located at the very bottom of the menu. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.