Google has released an update stomping out three critical-severity vulnerabilities in its Android operating system — one of which could result in “permanent denial of service” on affected mobile devices if exploited.

The vulnerabilities are part of Google’s December 2019 Android Security Bulletin, which deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 22 critical and high-severity vulnerabilities.

“The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service,” according to Google’s Monday update. That DoS flaw, CVE-2019-2232, has been addressed for devices running on versions 8.0, 8.1, 9 and 10 of the Android operating system, Google said.

The other two critical flaws (CVE-2019-2222 and CVE-2019-2223) exist in Android’s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android devices running on operating systems versions 8.0, 8.1,9 and 10 have been addressed for these two bugs, which could enable a remote attacker using a crafted file to execute code within the context of a privileged process.

Also fixed were three high-severity elevation-of-privilege flaws (CVE-2019-9464, CVE-2019-2217 and CVE-2019-2218) as well as a high-severity information disclosure glitch (CVE-2019-2220) in the Android framework. And, seven high-severity flaws – including remote-code-execution, elevation-of-privilege and information-disclosure vulnerabilities – were discovered in the Android operating system.

Meanwhile, 22 CVEs – including three critical buffer overflow flaws – were also patched, related to Qualcomm closed-source components, which are used in Android devices. The critical severity flaws exist across various Qualcomm technologies, including the multi-mode call processor (CVE-2019-10500), Wideband Code Division Multiple Access, an alternative to 2G/3G technology developed by Qualcomm, (CVE-2019-10525) and a modem (CVE-2019-2242). Finally, Google issued fixes for various other third-party components in its Android ecosystem, including a high-severity elevation-of-privilege vulnerability (CVE-2018-20961) in the USB MIDI class function driver used in Android’s kernel component.

There are no current reports of these vulnerabilities being exploited in the wild.

Manufacturer Updates

Manufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin.

Samsung said in a December security maintenance release that it is releasing several of the Android security bulletin patches, including those addressing critical flaws, CVE-2019-2232, CVE-2019-2222 and CVE-2019-2223, to major Samsung models. Meanwhile LG also rolled out patches covered by the December security bulletin (also addressing the three critical Android flaws as well).

A bulletin said a security update for Pixel devices, which run on Google’s Android operating system, is “coming soon.” Threatpost has reached out to Google for more details around this timeline.

Google’s update comes as out-of-date Android devices continue to face threats, including a new Android vulnerability disclosed this week, called “StrandHogg,” which could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages.

In a security notice, the Multi-State Information Sharing and Analysis Center urged Android users to “Apply appropriate updates by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing” in accordance with the security update bulletin.