Google is committed to advancing racial equity for Black communities. See how.

Published August 20, 2019 | Updated June 11, 2020

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 10. Android 10 devices with a security patch level of 2019-09-01 or later are protected against these issues (Android 10, as released on AOSP, has a default security patch level of 2019-09-01). To learn how to check a device's security patch level, see How to check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 10 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

The issues described in this document are addressed as part of Android 10. This information is provided for reference and transparency.

We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 10—Vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 10. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVE References Type Severity CVE-2019-9290 A-113039724 EoP Moderate CVE-2019-9429 A-110035108 EoP Moderate

Framework

CVE References Type Severity CVE-2019-9262 A-111792351 RCE Moderate CVE-2019-9256 A-111921829 RCE Moderate CVE-2019-9280 A-119322269 EoP Moderate CVE-2019-2216 A-38390530 EoP Moderate CVE-2019-2089 A-116608833 EoP Moderate CVE-2019-9288 A-111363077 EoP Moderate CVE-2019-9384 A-120568007 EoP Moderate CVE-2019-9269 A-36899497 EoP Moderate CVE-2019-9378 A-124539196 EoP Moderate CVE-2019-9380 A-123700098 EoP Moderate CVE-2019-9407 A-112434609 EoP Moderate CVE-2019-2088 A-143895055 ID Moderate CVE-2019-2058 A-136089102 ID Moderate CVE-2019-9351 A-128599864 ID Moderate CVE-2019-9281 A-32748076 ID Moderate CVE-2019-9377 A-128599663 ID Moderate CVE-2019-9292 A-115384617 ID Moderate CVE-2019-9424 A-110941092 ID Moderate CVE-2019-9399 A-115635664 ID Moderate CVE-2019-9421 A-111215250 ID Moderate CVE-2019-9428 A-110150807 ID Moderate CVE-2019-9323 A-30770233 ID Moderate CVE-2019-9438 A-77821568 ID Moderate CVE-2019-9373 A-130173029 DoS Moderate CVE-2019-9376 A-129287265 DoS Moderate CVE-2019-9372 A-132782448 DoS Moderate

Library

CVE References Type Severity CVE-2019-9423 A-110986616 EoP Moderate CVE-2019-9459 A-79593569 EoP Moderate CVE-2020-0237 A-79592512 EoP Moderate

Media framework

CVE References Type Severity CVE-2019-9297 A-112890242 RCE Moderate CVE-2019-9298 A-112892194 RCE Moderate CVE-2019-9299 A-112663886 RCE Moderate CVE-2019-9300 A-112661610 RCE Moderate CVE-2019-9301 A-112663384 RCE Moderate CVE-2019-9302 A-112661356 RCE Moderate CVE-2019-9303 A-112661057 RCE Moderate CVE-2019-9304 A-112662270 RCE Moderate CVE-2019-9305 A-112661835 RCE Moderate CVE-2019-9306 A-112661348 RCE Moderate CVE-2019-9307 A-112661893 RCE Moderate CVE-2019-9308 A-112661742 RCE Moderate CVE-2019-9346 A-128433933 RCE Moderate CVE-2019-9357 A-112662995 RCE Moderate CVE-2019-9382 A-120874654 RCE Moderate CVE-2019-9405 A-112890225 RCE Moderate CVE-2019-9278 A-112537774 RCE Moderate CVE-2020-0086 A-131859347 EoP Moderate CVE-2019-9310 A-112891546 EoP Moderate CVE-2019-9232 A-122675483 ID Moderate CVE-2019-9247 A-120426166 ID Moderate CVE-2019-9282 A-113211371 ID Moderate CVE-2019-9293 A-117661116 ID Moderate CVE-2019-9294 A-111764444 ID Moderate CVE-2019-9313 A-112005441 ID Moderate CVE-2019-9314 A-112329563 ID Moderate CVE-2019-9315 A-112326216 ID Moderate CVE-2019-9316 A-112052432 ID Moderate CVE-2019-9317 A-112052258 ID Moderate CVE-2019-9318 A-111764725 ID Moderate CVE-2019-9319 A-111762100 ID Moderate CVE-2019-9320 A-111761624 ID Moderate CVE-2019-9321 A-111208713 ID Moderate CVE-2019-9322 A-111128067 ID Moderate CVE-2019-9325 A-112001302 ID Moderate CVE-2019-9334 A-112859934 ID Moderate CVE-2019-9335 A-112328051 ID Moderate CVE-2019-9336 A-112326322 ID Moderate CVE-2019-9337 A-112204376 ID Moderate CVE-2019-9338 A-111762686 ID Moderate CVE-2019-9347 A-109891727 ID Moderate CVE-2019-9359 A-111407302 ID Moderate CVE-2019-9361 A-111762807 ID Moderate CVE-2019-9362 A-120426980 ID Moderate CVE-2019-9364 A-73364631 ID Moderate CVE-2019-9366 A-112052062 ID Moderate CVE-2019-9370 A-133880046 ID Moderate CVE-2019-9406 A-112552517 ID Moderate CVE-2019-9408 A-112380157 ID Moderate CVE-2019-9409 A-112272091 ID Moderate CVE-2019-9410 A-112204443 ID Moderate CVE-2019-9411 A-112204845 ID Moderate CVE-2019-9412 A-112006096 ID Moderate CVE-2019-9415 A-111805098 ID Moderate CVE-2019-9416 A-111804142 ID Moderate CVE-2019-9433 A-80479354 ID Moderate CVE-2019-9252 A-73339042 ID Moderate CVE-2019-9268 A-77474014 DoS Moderate CVE-2020-0088 A-124389881 DoS Moderate CVE-2019-9283 A-112663564 DoS Moderate CVE-2019-9348 A-128431761 DoS Moderate CVE-2019-9349 A-124330204 DoS Moderate CVE-2019-9352 A-124253062 DoS Moderate CVE-2019-9371 A-132783254 DoS Moderate CVE-2019-9379 A-124329638 DoS Moderate CVE-2019-9418 A-111450210 DoS Moderate CVE-2019-9420 A-111272481 DoS Moderate

System

CVE References Type Severity CVE-2019-9363 A-123584306 RCE Moderate CVE-2019-9365 A-109838537 RCE Moderate CVE-2018-9425 A-73884967 EoP Moderate CVE-2019-9463 A-113584607 EoP Moderate CVE-2019-9291 A-112159179 EoP Moderate CVE-2019-9386 A-122361874 EoP Moderate CVE-2019-9375 A-129344244 EoP Moderate CVE-2019-9238 A-121267042 EoP Moderate CVE-2019-9257 A-113572342 EoP Moderate CVE-2019-9258 A-113655028 EoP Moderate CVE-2019-9259 A-113575306 EoP Moderate CVE-2019-9263 A-73136824 EoP Moderate CVE-2019-9266 A-119501435 EoP Moderate CVE-2019-9295 A-36885811 EoP Moderate CVE-2019-9309 A-117985575 EoP Moderate CVE-2019-9350 A-129562815 EoP Moderate CVE-2019-9358 A-120156401 EoP Moderate CVE-2018-9489 A-77286245 ID Moderate CVE-2019-9473 A-115363533 ID Moderate CVE-2019-9474 A-79996267 ID Moderate CVE-2019-9440 A-37637796 ID Moderate CVE-2019-9277 A-68016944 ID Moderate CVE-2019-9233 A-122529021 ID Moderate CVE-2019-9234 A-122465453 ID Moderate CVE-2019-9235 A-122323053 ID Moderate CVE-2019-9236 A-122322613 ID Moderate CVE-2019-9237 A-121325979 ID Moderate CVE-2019-9239 A-121263487 ID Moderate CVE-2019-9240 A-121150966 ID Moderate CVE-2019-9241 A-121036603 ID Moderate CVE-2019-9242 A-121035878 ID Moderate CVE-2019-9243 A-120905706 ID Moderate CVE-2019-9244 A-120865977 ID Moderate CVE-2019-9246 A-120428637 ID Moderate CVE-2019-9249 A-120255805 ID Moderate CVE-2019-9250 A-120276962 ID Moderate CVE-2019-9251 A-120274615 ID Moderate CVE-2019-9253 A-109769728 ID Moderate CVE-2019-9260 A-113495295 ID Moderate CVE-2019-9265 A-37994606 ID Moderate CVE-2019-9272 A-11596047 ID Moderate CVE-2019-9284 A-111850706 ID Moderate CVE-2019-9287 A-78287084 ID Moderate CVE-2019-9289 A-79883824 ID Moderate CVE-2018-9581 A-111698366 ID Moderate CVE-2019-9296 A-112162089 ID Moderate CVE-2019-9312 A-78288018 ID Moderate CVE-2019-9326 A-111215173 ID Moderate CVE-2019-9328 A-111895000 ID Moderate CVE-2019-9329 A-112917952 ID Moderate CVE-2019-9332 A-78286500 ID Moderate CVE-2019-9333 A-109753657 ID Moderate CVE-2019-9344 A-120845341 ID Moderate CVE-2019-9353 A-123024201 ID Moderate CVE-2019-9354 A-118148142 ID Moderate CVE-2019-9355 A-115903122 ID Moderate CVE-2019-9356 A-111699773 ID Moderate CVE-2019-9360 A-120610663 ID Moderate CVE-2019-9368 A-79883568 ID Moderate CVE-2019-9369 A-79995407 ID Moderate CVE-2019-9381 A-122677612 ID Moderate CVE-2019-9383 A-120843827 ID Moderate CVE-2019-9387 A-117569833 ID Moderate CVE-2019-9388 A-117567437 ID Moderate CVE-2019-9403 A-113512324 ID Moderate CVE-2019-9414 A-111893041 ID Moderate CVE-2019-9427 A-110166350 ID Moderate CVE-2019-9431 A-109755179 ID Moderate CVE-2019-9432 A-80546108 ID Moderate CVE-2019-9434 A-80432895 ID Moderate CVE-2019-9435 A-80146682 ID Moderate CVE-2019-9330 A-111214739 ID Moderate CVE-2019-9331 A-112272279 ID Moderate CVE-2019-9341 A-111214770 ID Moderate CVE-2019-9342 A-111214470 ID Moderate CVE-2019-9343 A-112050983 ID Moderate CVE-2019-9367 A-112106425 ID Moderate CVE-2019-9413 A-111935831 ID Moderate CVE-2019-9417 A-111450079 ID Moderate CVE-2019-9419 A-111407544 ID Moderate CVE-2019-9422 A-111214766 ID Moderate CVE-2020-0236 A-79703353 ID Moderate CVE-2019-9279 A-110476382 DoS Moderate CVE-2019-9285 A-111215315 DoS Moderate CVE-2019-9286 A-111213909 DoS Moderate CVE-2019-9311 A-79431031 DoS Moderate CVE-2019-9327 A-112050583 DoS Moderate CVE-2019-9462 A-91544774 DoS Moderate CVE-2019-9389 A-117567058 DoS Moderate CVE-2019-9390 A-117551475 DoS Moderate CVE-2019-9393 A-116357965 DoS Moderate CVE-2019-9394 A-116351796 DoS Moderate CVE-2019-9395 A-116267405 DoS Moderate CVE-2019-9396 A-115747155 DoS Moderate CVE-2019-9397 A-115747410 DoS Moderate CVE-2019-9398 A-115745406 DoS Moderate CVE-2019-9400 A-115509589 DoS Moderate CVE-2019-9401 A-115375248 DoS Moderate CVE-2019-9402 A-115372550 DoS Moderate CVE-2019-9404 A-112923309 DoS Moderate CVE-2019-9425 A-110846194 DoS Moderate CVE-2019-9430 A-109838296 DoS Moderate

Libxaac

The Android 9 libxaac library was marked as experimental and removed from production Android builds as part of the November 2018 Android Security Bulletin. We would like to acknowledge researchers for their findings.

The issues identified include the following CVE IDs: CVE-2019-2055, CVE-2019-2059, CVE-2019-2060, CVE-2019-2061, CVE-2019-2062, CVE-2019-2063, CVE-2019-2064, CVE-2019-2065, CVE-2019-2066, CVE-2019-2067, CVE-2019-2068, CVE-2019-2069, CVE-2019-2070, CVE-2019-2071, CVE-2019-2072, CVE-2019-2073, CVE-2019-2074, CVE-2019-2075, CVE-2019-2076, CVE-2019-2077, CVE-2019-2078, CVE-2019-2079, CVE-2019-2080, CVE-2019-2081, CVE-2019-2082, CVE-2019-2083, CVE-2019-2084, CVE-2019-2085, CVE-2019-2086, CVE-2019-2087, CVE-2019-2138, CVE-2019-2139, CVE-2019-2140, CVE-2019-2141, CVE-2019-2142, CVE-2019-2143, CVE-2019-2144, CVE-2019-2145, CVE-2019-2146, CVE-2019-2147, CVE-2019-2148, CVE-2019-2149, CVE-2019-2150, CVE-2019-2151, CVE-2019-2152, CVE-2019-2153, CVE-2019-2154, CVE-2019-2155, CVE-2019-2156, CVE-2019-2157, CVE-2019-2158, CVE-2019-2159, CVE-2019-2160, CVE-2019-2161, CVE-2019-2162, CVE-2019-2163, CVE-2019-2164, CVE-2019-2165, CVE-2019-2166, CVE-2019-2167, CVE-2019-2168, CVE-2019-2169, CVE-2019-2170, CVE-2019-2171, CVE-2019-2172, CVE-2019-9261, CVE-2019-9264, CVE-2019-9385, and CVE-2019-9391.

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Android 10, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android 10 and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference A- Android bug ID

Versions