The December 2021 security updates for Android have begun to be sent to users, containing fixes for 46 vulnerabilities, including many of severe severity. The most serious of the flaws resolved is a fault in the Media framework that “may lead to remote information exposure with no further execution rights required,” according to Google.
In fact, two information disclosure problems in the Media framework component were resolved this month (CVE-2021-0967 and CVE-2021-0964), both as part of the 2021-12-01 security patch level.
The same patch version also includes patches for three Framework vulnerabilities (two elevation of privilege and one information disclosure, all of which are high severity) and ten System security flaws (two critical – remote code execution and elevation of privilege – and six high severity).
The second section of Google’s December 2021 Android Security Bulletin contains information on 31 vulnerabilities, the majority of which target Qualcomm closed-source components.
It resolves one vulnerability in the Media framework, three in Kernel components, two in MediaTek components, three in Qualcomm components, and 22 in Qualcomm closed-source components. It is being rolled out to devices as the 2021-12-05 security patch level (including three rated critical severity).
All of these vulnerabilities, as well as those fixed by prior patch levels, are resolved by devices running a security patch level of 2021-12-05 or later.
A patch version of 2021-12-05 for Pixel smartphones resolves 85 new vulnerabilities unique to Google’s phones. According to Google’s notice, the majority of these security flaws are of moderate severity.
There are 19 defects in the Framework, 9 in the Media framework, 1 in Messaging, 29 in the System, seven in Kernel components, 19 in Pixel, and 1 in Qualcomm components.